| Name | CVE-2026-59889 |
| Description | jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.18.0 until 2.18.9, 2.21.5, 2.22.1, 3.1.5, and 3.2.1, UnwrappedPropertyHandler.processUnwrapped() replays buffered JSON for a @JsonUnwrapped property and calls prop.deserializeAndSet() without a prop.visibleInView(ctxt.getActiveView()) guard, allowing a property annotated with both @JsonView and @JsonUnwrapped to be written from attacker JSON under a less-privileged active view. This issue is fixed in versions 2.18.9, 2.21.5, 2.22.1, 3.1.5, and 3.2.1. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| jackson-databind (PTS) | bullseye | 2.12.1-1+deb11u1 | fixed |
| bullseye (security) | 2.12.1-1+deb11u2 | fixed | |
| bookworm, bookworm (security) | 2.14.0-1+deb12u1 | fixed | |
| trixie (security), trixie | 2.14.0+ds-1+deb13u1 | fixed | |
| forky, sid | 2.14.0+ds-2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| jackson-databind | source | (unstable) | (not affected) |
- jackson-databind <not-affected> (Vulnerable code introduced later)
https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-5gvw-p9qm-jgwh
https://github.com/FasterXML/jackson-databind/issues/6060
https://github.com/FasterXML/jackson-databind/pull/6056
Fixed by: https://github.com/FasterXML/jackson-databind/commit/d627a8a86fcb062429282f79f3f256f181ed2c7b (jackson-databind-2.18.9)