CVE-2026-54512

Name of the Vulnerable Software and Affected Versions jackson-databind versions 2.10.0 through 2.18.7 jackson-databind versions 2.21.0 through 2.21.3 jackson-databind versions 3.1.0 through 3.1.3

Description An issue exists in the PolymorphicTypeValidator (PTV), the primary safety mechanism for polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (indicated by the < character), the function DatabindContext. resolveAndValidateGeneric() only validates the raw container class name against the configured PTV. If the container is approved, the full canonical type string is parsed via TypeFactory.constructFromCanonical() and returned without validating the nested type arguments. This allows an attacker to bypass an allow-list by placing a denied class as a generic type parameter of an allowed container, such as java.util.ArrayList<com.evil.Gadget>. The denied class is then loaded via Class.forName(name, true, loader), instantiated, and populated with attacker-controlled JSON properties. This can lead to arbitrary class instantiation and potential unauthenticated remote code execution if classes with exploitable side effects are present on the classpath.

Recommendations Update to version 2.18.8. Update to version 2.21.4. Update to version 3.1.4.