Cyber Resilience

CVE-2026-54513

HighUpdated

Published: 23 June 2026

Published
23 June 2026
Modified
03 July 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0068 47.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-54513 is a high-severity Incomplete List of Disallowed Inputs (CWE-184) vulnerability in Fasterxml Jackson-Databind. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allowlists any array type based only on clazz.isArray(), without validating the array's component (element) type against the configured allowlist. A…

more

PTV built with allowIfSubTypeIsArray() plus an explicit concrete-type allowlist therefore still permits EvilType[] even though EvilType is not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Bypass of polymorphic type validation in Jackson deserialization directly enables remote exploitation of applications using the library via crafted input.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-54512Same product: Fasterxml Jackson-Databind
CVE-2021-46877Same product: Fasterxml Jackson-Databind
CVE-2025-71320Shared CWE-184
CVE-2025-48732Shared CWE-184
CVE-2026-42590Shared CWE-184
CVE-2026-43566Shared CWE-184
CVE-2026-29062Same vendor: Fasterxml
CVE-2026-43532Shared CWE-184
CVE-2026-34415Shared CWE-184
CVE-2026-41361Shared CWE-184

Affected Assets

fasterxml
jackson-databind
2.10.0 — 2.18.8 · 2.19.0 — 2.21.4 · 3.0.0 — 3.1.4

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-184

Spam filters rely on evolving blacklists, signatures, and heuristics of disallowed message patterns; keeping them updated per the control directly mitigates incomplete disallowed-input lists.

Hardening callouts derived

Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).

Oracle Linux 8 (1 rule)
  • V-248691 OL 8 must require the maximum number of repeating characters be limited to three when passwords are changed. via CWE-184

References