{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-54513", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-06-15T18:01:15.514Z", "datePublished": "2026-06-23T20:53:52.543Z", "dateUpdated": "2026-06-23T20:57:16.381Z"}, "containers": {"cna": {"title": "jackson-databind: Array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray)", "problemTypes": [{"descriptions": [{"cweId": "CWE-184", "lang": "en", "description": "CWE-184: Incomplete List of Disallowed Inputs", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-rmj7-2vxq-3g9f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-rmj7-2vxq-3g9f"}, {"name": "https://github.com/FasterXML/jackson-databind/issues/5981", "tags": ["x_refsource_MISC"], "url": "https://github.com/FasterXML/jackson-databind/issues/5981"}, {"name": "https://github.com/FasterXML/jackson-databind/issues/5983", "tags": ["x_refsource_MISC"], "url": "https://github.com/FasterXML/jackson-databind/issues/5983"}, {"name": "https://github.com/FasterXML/jackson-databind/pull/5984", "tags": ["x_refsource_MISC"], "url": "https://github.com/FasterXML/jackson-databind/pull/5984"}, {"name": "https://github.com/FasterXML/jackson-databind/commit/01d1692c8d0ed03e51a0e3c4f8a9e6908e4931e5", "tags": ["x_refsource_MISC"], "url": "https://github.com/FasterXML/jackson-databind/commit/01d1692c8d0ed03e51a0e3c4f8a9e6908e4931e5"}, {"name": "https://github.com/FasterXML/jackson-databind/commit/24529da29fdf46ff94ca38de9ebf31cd188f5e8e", "tags": ["x_refsource_MISC"], "url": "https://github.com/FasterXML/jackson-databind/commit/24529da29fdf46ff94ca38de9ebf31cd188f5e8e"}], "affected": [{"vendor": "FasterXML", "product": "jackson-databind", "versions": [{"version": ">= 2.10.0, < 2.18.8", "status": "affected"}, {"version": ">= 2.19.0, < 2.21.4", "status": "affected"}, {"version": ">= 3.0.0, < 3.1.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-23T20:57:16.381Z"}, "descriptions": [{"lang": "en", "value": "jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allowlists any array type based only on clazz.isArray(), without validating the array's component (element) type against the configured allowlist. A PTV built with allowIfSubTypeIsArray() plus an explicit concrete-type allowlist therefore still permits EvilType[] even though EvilType is not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4."}], "source": {"advisory": "GHSA-rmj7-2vxq-3g9f", "discovery": "UNKNOWN"}}}}

{}

{}

{}

{"created": "2026-06-23T23:45:04.625737+00:00", "updated": "2026-06-23T23:45:04.625743+00:00", "vendors": []}