Jackson Databind ignore-property bypass in 2.8.02.18.9, 2.21.5 & 3.1.4
CVE-2026-54515 Published on June 23, 2026
jackson-databind: Case-insensitive deserialization bypasses per-property @JsonIgnoreProperties
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), per-property @JsonIgnoreProperties exclusions are applied by _handleByNameInclusion(), producing a contextual deserializer whose BeanPropertyMap has the ignored properties removed. The subsequent per-property case-insensitivity block (triggered by @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES)) rebuilds from this._beanProperties (the original, unfiltered map) instead of contextual._beanProperties, then overwrites the filtered map restoring every property _handleByNameInclusion had just removed. The ignored property becomes writable again. This vulnerability is fixed in 2.18.9, 2.21.5, and 3.1.4.
Vulnerability Analysis
CVE-2026-54515 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.
Weakness Type
What is a Mass Assignment Vulnerability?
The software receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
CVE-2026-54515 has been classified to as a Mass Assignment vulnerability or weakness.
Products Associated with CVE-2026-54515
Want to know whenever a new CVE is published for FasterXML Jackson Databind? stack.watch will email you.
Affected Versions
FasterXML jackson-databind:- Version >= 2.8.0, < 2.18.9 is affected.
- Version >= 2.19.0, < 2.21.5 is affected.
- Version >= 3.1.0, < 3.1.4 is affected.