CVE-2026-59888

Summary

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.15.0 until 2.18.8, 2.21.4, and 3.1.4, Java Records using a PropertyNamingStrategy can bypass @JsonIgnore because POJOPropertiesCollector._removeUnwantedIgnorals() records an ignored component under its original implicit name before _renameUsing() applies the naming strategy, allowing the renamed JSON key to be assigned to the Record constructor parameter. This issue is fixed in versions 2.18.8, 2.21.4, and 3.1.4.

Affected Software

VendorProductVersion RangeStatus
FasterXMLjackson-databind>= 2.15.0, < 2.18.8affected
FasterXMLjackson-databind>= 2.19.0, < 2.21.4affected
FasterXMLjackson-databind>= 3.0.0, < 3.1.4affected

Weaknesses

  • CWE-915: CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References