UBUNTU-CVE-2026-59888

Source
https://ubuntu.com/security/CVE-2026-59888
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-59888.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-59888
Upstream
Published
2026-07-14T17:17:00Z
Modified
2026-07-15T19:48:11.116815605Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.15.0 until 2.18.8, 2.21.4, and 3.1.4, Java Records using a PropertyNamingStrategy can bypass @JsonIgnore because POJOPropertiesCollector._removeUnwantedIgnorals() records an ignored component under its original implicit name before _renameUsing() applies the naming strategy, allowing the renamed JSON key to be assigned to the Record constructor parameter. This issue is fixed in versions 2.18.8, 2.21.4, and 3.1.4.

References

Affected packages

Ubuntu:18.04:LTS
jackson-databind

Package

Name
jackson-databind
Purl
pkg:deb/ubuntu/jackson-databind?arch=source&distro=bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.8.6-1
2.9.1-1
2.9.4-1
2.9.5-1
2.9.8-1~18.04

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2.9.8-1~18.04",
            "binary_name": "libjackson2-databind-java"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-59888.json"
Ubuntu:20.04:LTS
jackson-databind

Package

Name
jackson-databind
Purl
pkg:deb/ubuntu/jackson-databind?arch=source&distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.9.9.3-1
2.10.0-2
2.10.1-1
2.10.2-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2.10.2-1",
            "binary_name": "libjackson2-databind-java"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-59888.json"
Ubuntu:22.04:LTS
jackson-databind

Package

Name
jackson-databind
Purl
pkg:deb/ubuntu/jackson-databind?arch=source&distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.12.1-1
2.12.5-1
2.13.0-1
2.13.0-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2.13.0-2",
            "binary_name": "libjackson2-databind-java"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-59888.json"
Ubuntu:24.04:LTS
jackson-databind

Package

Name
jackson-databind
Purl
pkg:deb/ubuntu/jackson-databind?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.14.0-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2.14.0-1",
            "binary_name": "libjackson2-databind-java"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-59888.json"
Ubuntu:26.04:LTS
jackson-databind

Package

Name
jackson-databind
Purl
pkg:deb/ubuntu/jackson-databind?arch=source&distro=resolute

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.14.0+ds-1
2.14.0+ds-1build1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2.14.0+ds-1build1",
            "binary_name": "libjackson2-databind-java"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-59888.json"
Ubuntu:Pro:14.04:LTS
jackson-databind

Package

Name
jackson-databind
Purl
pkg:deb/ubuntu/jackson-databind?arch=source&distro=esm-infra-legacy%2Ftrusty

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.2.2-1
2.2.2-1ubuntu0.1~esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2.2.2-1ubuntu0.1~esm1",
            "binary_name": "libjackson2-databind-java"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-59888.json"
Ubuntu:Pro:16.04:LTS
jackson-databind

Package

Name
jackson-databind
Purl
pkg:deb/ubuntu/jackson-databind?arch=source&distro=esm-apps%2Fxenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.4.2-2
2.4.2-3
2.4.2-3ubuntu0.1~esm1
2.4.2-3ubuntu0.1~esm2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2.4.2-3ubuntu0.1~esm2",
            "binary_name": "libjackson2-databind-java"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-59888.json"