CVE-2026-59889

Source
https://cve.org/CVERecord?id=CVE-2026-59889
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59889.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-59889
Aliases
  • GHSA-5gvw-p9qm-jgwh
Downstream
Related
Published
2026-07-14T19:57:48.473Z
Modified
2026-07-16T10:14:40.172006705Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
jackson-databind: @JsonView ypassed for @JsonUnwrapped container properties on deserialization
Details

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.18.0 until 2.18.9, 2.21.5, 2.22.1, 3.1.5, and 3.2.1, UnwrappedPropertyHandler.processUnwrapped() replays buffered JSON for a @JsonUnwrapped property and calls prop.deserializeAndSet() without a prop.visibleInView(ctxt.getActiveView()) guard, allowing a property annotated with both @JsonView and @JsonUnwrapped to be written from attacker JSON under a less-privileged active view. This issue is fixed in versions 2.18.9, 2.21.5, 2.22.1, 3.1.5, and 3.2.1.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59889.json",
    "cwe_ids": [
        "CWE-863"
    ],
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "3.2.0"
                },
                {
                    "fixed": "3.2.1"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/fasterxml/jackson-databind

Affected ranges

Type
GIT
Repo
https://github.com/fasterxml/jackson-databind
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "2.18.0"
        },
        {
            "fixed": "2.18.9"
        },
        {
            "introduced": "2.21.0"
        },
        {
            "fixed": "2.21.5"
        },
        {
            "introduced": "2.22.0"
        },
        {
            "fixed": "2.22.1"
        },
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.1.5"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

jackson-databind-2.*
jackson-databind-2.18.0
jackson-databind-2.18.1
jackson-databind-2.18.2
jackson-databind-2.18.3
jackson-databind-2.18.4
jackson-databind-2.18.5
jackson-databind-2.18.6
jackson-databind-2.18.7
jackson-databind-2.18.8
jackson-databind-2.21.0
jackson-databind-2.21.1
jackson-databind-2.21.2
jackson-databind-2.21.3
jackson-databind-2.21.4
jackson-databind-2.22.0
jackson-databind-3.*
jackson-databind-3.0.0
jackson-databind-3.0.1
jackson-databind-3.1.0
jackson-databind-3.1.0-rc1
jackson-databind-3.1.1
jackson-databind-3.1.2
jackson-databind-3.1.3
jackson-databind-3.1.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59889.json"