{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-54513","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-06-15T18:01:15.514Z","datePublished":"2026-06-23T20:53:52.543Z","dateUpdated":"2026-07-09T12:09:48.406Z"},"containers":{"cna":{"title":"jackson-databind: Array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray)","problemTypes":[{"descriptions":[{"cweId":"CWE-184","lang":"en","description":"CWE-184: Incomplete List of Disallowed Inputs","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"references":[{"name":"https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-rmj7-2vxq-3g9f","tags":["x_refsource_CONFIRM"],"url":"https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-rmj7-2vxq-3g9f"},{"name":"https://github.com/FasterXML/jackson-databind/issues/5981","tags":["x_refsource_MISC"],"url":"https://github.com/FasterXML/jackson-databind/issues/5981"},{"name":"https://github.com/FasterXML/jackson-databind/issues/5983","tags":["x_refsource_MISC"],"url":"https://github.com/FasterXML/jackson-databind/issues/5983"},{"name":"https://github.com/FasterXML/jackson-databind/pull/5984","tags":["x_refsource_MISC"],"url":"https://github.com/FasterXML/jackson-databind/pull/5984"},{"name":"https://github.com/FasterXML/jackson-databind/commit/01d1692c8d0ed03e51a0e3c4f8a9e6908e4931e5","tags":["x_refsource_MISC"],"url":"https://github.com/FasterXML/jackson-databind/commit/01d1692c8d0ed03e51a0e3c4f8a9e6908e4931e5"},{"name":"https://github.com/FasterXML/jackson-databind/commit/24529da29fdf46ff94ca38de9ebf31cd188f5e8e","tags":["x_refsource_MISC"],"url":"https://github.com/FasterXML/jackson-databind/commit/24529da29fdf46ff94ca38de9ebf31cd188f5e8e"}],"affected":[{"vendor":"FasterXML","product":"jackson-databind","versions":[{"version":">= 2.10.0, < 2.18.8","status":"affected"},{"version":">= 2.19.0, < 2.21.4","status":"affected"},{"version":">= 3.0.0, < 3.1.4","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-06-23T20:57:16.381Z"},"descriptions":[{"lang":"en","value":"jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allowlists any array type based only on clazz.isArray(), without validating the array's component (element) type against the configured allowlist. A PTV built with allowIfSubTypeIsArray() plus an explicit concrete-type allowlist therefore still permits EvilType[] even though EvilType is not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4."}],"source":{"advisory":"GHSA-rmj7-2vxq-3g9f","discovery":"UNKNOWN"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-06-24T14:45:02.581065Z","id":"CVE-2026-54513","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-06-24T14:45:22.699Z"}},{"affected":[{"cpes":["cpe:/a:redhat:apache_camel_quarkus:3.33"],"defaultStatus":"affected","product":"Red Hat Build of Apache Camel 4.18 for Quarkus 3.33","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:cryostat:4"],"defaultStatus":"affected","product":"Cryostat 4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:amq_broker:7"],"defaultStatus":"affected","product":"Red Hat AMQ Broker 7","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:amq_clients:2023"],"defaultStatus":"affected","product":"Red Hat AMQ Clients","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:apache_camel_hawtio:4"],"defaultStatus":"affected","product":"Red Hat build of Apache Camel - HawtIO 4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:camel_quarkus:3"],"defaultStatus":"affected","product":"Red Hat build of Apache Camel 4 for Quarkus 3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:camel_spring_boot:4"],"defaultStatus":"affected","product":"Red Hat build of Apache Camel for Spring Boot 4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:apicurio_registry:3"],"defaultStatus":"affected","product":"Red Hat build of Apicurio Registry 3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:debezium:3"],"defaultStatus":"affected","product":"Red Hat build of Debezium 3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:build_keycloak:"],"defaultStatus":"affected","product":"Red Hat Build of Keycloak","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:quarkus:3"],"defaultStatus":"affected","product":"Red Hat build of Quarkus","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:certificate_system:10"],"defaultStatus":"affected","product":"Red Hat Certificate System 10","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jboss_data_grid:8"],"defaultStatus":"affected","product":"Red Hat Data Grid 8","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:10"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 10","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:8"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 8","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:9"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 9","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jboss_enterprise_application_platform:7"],"defaultStatus":"affected","product":"Red Hat JBoss Enterprise Application Platform 7","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jboss_enterprise_application_platform:8"],"defaultStatus":"affected","product":"Red Hat JBoss Enterprise Application Platform 8","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jbosseapxp"],"defaultStatus":"affected","product":"Red Hat JBoss Enterprise Application Platform Expansion Pack","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:red_hat_single_sign_on:7"],"defaultStatus":"affected","product":"Red Hat Single Sign-On 7","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:amq_streams:2"],"defaultStatus":"affected","product":"streams for Apache Kafka 2","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:amq_streams:3"],"defaultStatus":"affected","product":"streams for Apache Kafka 3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ocp_tools"],"defaultStatus":"unknown","product":"OpenShift Developer Tools and Services","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:serverless:1"],"defaultStatus":"unknown","product":"OpenShift Serverless","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ai_inference_server:3"],"defaultStatus":"unknown","product":"Red Hat AI Inference Server","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ansible_automation_platform:2"],"defaultStatus":"unknown","product":"Red Hat Ansible Automation Platform 2","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:enterprise_linux_ai:3"],"defaultStatus":"unknown","product":"Red Hat Enterprise Linux AI (RHEL AI) 3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:lightspeed_for_runtimes:1"],"defaultStatus":"unknown","product":"Red Hat Lightspeed for Runtimes Operator","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:offline_knowledge_portal:1"],"defaultStatus":"unknown","product":"Red Hat Offline Knowledge Portal","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"unknown","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_devspaces:3"],"defaultStatus":"unknown","product":"Red Hat OpenShift Dev Spaces","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:satellite:6"],"defaultStatus":"unknown","product":"Red Hat Satellite 6","vendor":"Red Hat"}],"datePublic":"2026-06-23T20:53:52.543Z","descriptions":[{"lang":"en","value":"A flaw was found in jackson-databind, a library used for processing data. This vulnerability allows an attacker to bypass security controls designed to validate data types. By sending specially crafted input, an attacker can force the system to process untrusted data, which may lead to the execution of malicious code. This could result in a complete compromise of the affected system, impacting its confidentiality, integrity, and availability."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-184","description":"Incomplete List of Disallowed Inputs","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-54513"},{"name":"RHBZ#2492010","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2492010"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-54513.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:36839"}],"solutions":[{"lang":"en","value":"RHSA-2026:36839: Red Hat Build of Apache Camel 4.18 for Quarkus 3.33"}],"timeline":[{"lang":"en","time":"2026-06-23T22:01:34.437Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-06-23T20:53:52.543Z","value":"Made public."}],"title":"jackson-databind: Jackson-databind: Security bypass allows arbitrary code execution","workarounds":[{"lang":"en","value":"Upgrade to version 2.18.8, 2.21.4, or 3.1.4 or later to address this vulnerability. If upgrading is not immediately possible, remove BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() from the application’s ObjectMapper configuration to eliminate the affected deserialization path. Rebuild and restart the application to apply the configuration change.\n\nAs an additional mitigation, disable polymorphic deserialization of untrusted data where possible by avoiding or removing default typing features such as activateDefaultTyping() or enableDefaultTyping(). When polymorphic deserialization is required, restrict allowed subtypes using a strict whitelist of trusted application packages and avoid broad or permissive type validation rules."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-07-09T12:09:48.406Z"}}]}}