CVE-2026-59889

NameCVE-2026-59889
Descriptionjackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.18.0 until 2.18.9, 2.21.5, 2.22.1, 3.1.5, and 3.2.1, UnwrappedPropertyHandler.processUnwrapped() replays buffered JSON for a @JsonUnwrapped property and calls prop.deserializeAndSet() without a prop.visibleInView(ctxt.getActiveView()) guard, allowing a property annotated with both @JsonView and @JsonUnwrapped to be written from attacker JSON under a less-privileged active view. This issue is fixed in versions 2.18.9, 2.21.5, 2.22.1, 3.1.5, and 3.2.1.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jackson-databind (PTS)bullseye2.12.1-1+deb11u1fixed
bullseye (security)2.12.1-1+deb11u2fixed
bookworm, bookworm (security)2.14.0-1+deb12u1fixed
trixie (security), trixie2.14.0+ds-1+deb13u1fixed
forky, sid2.14.0+ds-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jackson-databindsource(unstable)(not affected)

Notes

- jackson-databind <not-affected> (Vulnerable code introduced later)
https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-5gvw-p9qm-jgwh
https://github.com/FasterXML/jackson-databind/issues/6060
https://github.com/FasterXML/jackson-databind/pull/6056
Fixed by: https://github.com/FasterXML/jackson-databind/commit/d627a8a86fcb062429282f79f3f256f181ed2c7b (jackson-databind-2.18.9)

Search for package or bug name: Reporting problems