Back to overview

CVE-2026-54516

MEDIUM
5.3
CVSS 3.1
Description
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, POJOPropertiesCollector._renameProperties() allows a property with @JsonProperty("renamed") on the getter and @JsonIgnore on the setter to be renamed rather than dropped. With MapperFeature.INFER_PROPERTY_MUTATORS enabled (default), the private backing field is retained; during deserialization BeanDeserializerFactory.addBeanProps() sees hasField()==true, builds a FieldProperty, and makes the backing field writable. An attacker supplying the renamed JSON key writes the backing field directly, bypassing the @JsonIgnore on the setter. This vulnerability is fixed in 3.1.4.

Metadata

CVE ID
CVE-2026-54516
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-15 18:40 UTC
Published
2026-06-23 20:48 UTC
Last updated
2026-06-23 20:48 UTC
Primary CWE
CWE-915
CWE-915: Improperly Controlled Modification of Dynamically-D…
Vendor / Product
FasterXML / jackson-databind
Sources
cve.org  ·  NVD

Severity & Metrics

5.3 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected products (1)
VendorProductPlatformVersions
FasterXML jackson-databind >= 2.21.0, < 2.21.4, >= 3.0.0, < 3.1.4
Weakness (CWE)
CWESourceDescription
CWE-915 cna CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
CVSS scores (1)
ScoreSeverityVersionSourceVector
5.3 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
References (5)
Back to overview