CVE-2026-59888

NameCVE-2026-59888
Descriptionjackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.15.0 until 2.18.8, 2.21.4, and 3.1.4, Java Records using a PropertyNamingStrategy can bypass @JsonIgnore because POJOPropertiesCollector._removeUnwantedIgnorals() records an ignored component under its original implicit name before _renameUsing() applies the naming strategy, allowing the renamed JSON key to be assigned to the Record constructor parameter. This issue is fixed in versions 2.18.8, 2.21.4, and 3.1.4.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jackson-databind (PTS)bullseye2.12.1-1+deb11u1fixed
bullseye (security)2.12.1-1+deb11u2fixed
bookworm, bookworm (security)2.14.0-1+deb12u1fixed
trixie (security), trixie2.14.0+ds-1+deb13u1fixed
forky, sid2.14.0+ds-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jackson-databindsource(unstable)(not affected)

Notes

- jackson-databind <not-affected> (Vulnerable code introduced later)
https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-3pjw-73gf-8qr5
https://github.com/FasterXML/jackson-databind/pull/5974
Fixed by: https://github.com/FasterXML/jackson-databind/commit/c7c678360624da5bc7eed2152789fa522880db9d (jackson-databind-2.18.8)

Search for package or bug name: Reporting problems