jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.18.0 until 2.18.9, 2.21.5, 2.22.1, 3.1.5, and 3.2.1, UnwrappedPropertyHandler.processUnwrapped() replays buffered JSON for a @JsonUnwrapped property and calls prop.deserializeAndSet() without a prop.visibleInView(ctxt.getActiveView()) guard, allowing a property annotated with both @JsonView and @JsonUnwrapped to be written from attacker JSON under a less-privileged active view. This issue is fixed in versions 2.18.9, 2.21.5, 2.22.1, 3.1.5, and 3.2.1.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59889.json",
"cwe_ids": [
"CWE-863"
],
"unresolved_ranges": [
{
"extracted_events": [
{
"introduced": "3.2.0"
},
{
"fixed": "3.2.1"
}
],
"source": "AFFECTED_FIELD"
}
],
"cna_assigner": "GitHub_M"
}{
"extracted_events": [
{
"introduced": "2.18.0"
},
{
"fixed": "2.18.9"
},
{
"introduced": "2.21.0"
},
{
"fixed": "2.21.5"
},
{
"introduced": "2.22.0"
},
{
"fixed": "2.22.1"
},
{
"introduced": "3.0.0"
},
{
"fixed": "3.1.5"
}
],
"source": [
"AFFECTED_FIELD",
"REFERENCES"
]
}