CVE-2026-59888

Source
https://cve.org/CVERecord?id=CVE-2026-59888
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59888.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-59888
Aliases
  • GHSA-3pjw-73gf-8qr5
Downstream
Related
Published
2026-07-14T16:44:20.091Z
Modified
2026-07-17T03:41:42.508943185Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
jackson-databind: @JsonIgnore on a Record property is bypassed with a PropertyNamingStrategy
Details

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.15.0 until 2.18.8, 2.21.4, and 3.1.4, Java Records using a PropertyNamingStrategy can bypass @JsonIgnore because POJOPropertiesCollector._removeUnwantedIgnorals() records an ignored component under its original implicit name before _renameUsing() applies the naming strategy, allowing the renamed JSON key to be assigned to the Record constructor parameter. This issue is fixed in versions 2.18.8, 2.21.4, and 3.1.4.

Database specific
{
    "cwe_ids": [
        "CWE-915"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59888.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/fasterxml/jackson-databind

Affected ranges

Type
GIT
Repo
https://github.com/fasterxml/jackson-databind
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "2.15.0"
        },
        {
            "fixed": "2.18.8"
        },
        {
            "introduced": "2.19.0"
        },
        {
            "fixed": "2.21.4"
        },
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.1.4"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

jackson-databind-2.*
jackson-databind-2.15.0
jackson-databind-2.16.0
jackson-databind-2.16.0-rc1
jackson-databind-2.17.0-rc1
jackson-databind-2.18.0
jackson-databind-2.18.0-rc1
jackson-databind-2.18.1
jackson-databind-2.18.2
jackson-databind-2.18.3
jackson-databind-2.18.4
jackson-databind-2.18.5
jackson-databind-2.18.6
jackson-databind-2.18.7
jackson-databind-2.19.0
jackson-databind-2.20.0
jackson-databind-2.20.0-rc1
jackson-databind-2.21.0
jackson-databind-2.21.1
jackson-databind-2.21.2
jackson-databind-2.21.3
jackson-databind-3.*
jackson-databind-3.0.0
jackson-databind-3.0.1
jackson-databind-3.1.0
jackson-databind-3.1.0-rc1
jackson-databind-3.1.1
jackson-databind-3.1.2
jackson-databind-3.1.3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59888.json"