CVE-2026-54513

Name of the Vulnerable Software and Affected Versions jackson-databind versions 2.10.0 through 2.18.7 jackson-databind versions 2.19.0 through 2.21.3 jackson-databind versions 3.0.0 through 3.1.3

Description The BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() function allowlists any array type based solely on clazz.isArray(), failing to validate the array's component type against the configured allowlist. This allows an attacker who controls JSON input to instantiate non-allowlisted types via an array wrapper, bypassing the protections intended by the Polymorphic Type Validator (PTV) and re-introducing the risk of gadget instantiation. This occurs because when Jackson deserializes elements without per-element type IDs, it instantiates the component type directly without further PTV checks.

Recommendations Update to version 2.18.8 Update to version 2.21.4 Update to version 3.1.4