UBUNTU-CVE-2026-59889

Source
https://ubuntu.com/security/CVE-2026-59889
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-59889.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-59889
Upstream
Published
2026-07-14T21:17:00Z
Modified
2026-07-15T19:47:52.037852464Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.18.0 until 2.18.9, 2.21.5, 2.22.1, 3.1.5, and 3.2.1, UnwrappedPropertyHandler.processUnwrapped() replays buffered JSON for a @JsonUnwrapped property and calls prop.deserializeAndSet() without a prop.visibleInView(ctxt.getActiveView()) guard, allowing a property annotated with both @JsonView and @JsonUnwrapped to be written from attacker JSON under a less-privileged active view. This issue is fixed in versions 2.18.9, 2.21.5, 2.22.1, 3.1.5, and 3.2.1.

References

Affected packages

Ubuntu:18.04:LTS
jackson-databind

Package

Name
jackson-databind
Purl
pkg:deb/ubuntu/jackson-databind?arch=source&distro=bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.8.6-1
2.9.1-1
2.9.4-1
2.9.5-1
2.9.8-1~18.04

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libjackson2-databind-java",
            "binary_version": "2.9.8-1~18.04"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-59889.json"
Ubuntu:20.04:LTS
jackson-databind

Package

Name
jackson-databind
Purl
pkg:deb/ubuntu/jackson-databind?arch=source&distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.9.9.3-1
2.10.0-2
2.10.1-1
2.10.2-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libjackson2-databind-java",
            "binary_version": "2.10.2-1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-59889.json"
Ubuntu:22.04:LTS
jackson-databind

Package

Name
jackson-databind
Purl
pkg:deb/ubuntu/jackson-databind?arch=source&distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.12.1-1
2.12.5-1
2.13.0-1
2.13.0-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libjackson2-databind-java",
            "binary_version": "2.13.0-2"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-59889.json"
Ubuntu:24.04:LTS
jackson-databind

Package

Name
jackson-databind
Purl
pkg:deb/ubuntu/jackson-databind?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.14.0-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libjackson2-databind-java",
            "binary_version": "2.14.0-1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-59889.json"
Ubuntu:26.04:LTS
jackson-databind

Package

Name
jackson-databind
Purl
pkg:deb/ubuntu/jackson-databind?arch=source&distro=resolute

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.14.0+ds-1
2.14.0+ds-1build1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libjackson2-databind-java",
            "binary_version": "2.14.0+ds-1build1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-59889.json"
Ubuntu:Pro:14.04:LTS
jackson-databind

Package

Name
jackson-databind
Purl
pkg:deb/ubuntu/jackson-databind?arch=source&distro=esm-infra-legacy%2Ftrusty

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.2.2-1
2.2.2-1ubuntu0.1~esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libjackson2-databind-java",
            "binary_version": "2.2.2-1ubuntu0.1~esm1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-59889.json"
Ubuntu:Pro:16.04:LTS
jackson-databind

Package

Name
jackson-databind
Purl
pkg:deb/ubuntu/jackson-databind?arch=source&distro=esm-apps%2Fxenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.4.2-2
2.4.2-3
2.4.2-3ubuntu0.1~esm1
2.4.2-3ubuntu0.1~esm2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libjackson2-databind-java",
            "binary_version": "2.4.2-3ubuntu0.1~esm2"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-59889.json"