Unrated severityOSV Advisory· Published Jul 16, 2026
Debian jackson-databind: jackson-databind contains the general-purpose data-binding functionality and tre…
CVE-2026-59889
Description
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.18.0 until 2.18.9, 2.21.5, 2.22.1, 3.1.5, and 3.2.1, UnwrappedPropertyHandler.processUnwrapped() replays buffered JSON for a @JsonUnwrapped property and calls prop.deserializeAndSet() without a prop.visibleInView(ctxt.getActiveView()) guard, allowing a property annotated with both @JsonView and @JsonUnwrapped to be written from attacker JSON under a less-privileged active view. This issue is fixed in versions 2.18.9, 2.21.5, 2.22.1, 3.1.5, and 3.2.1.
Affected products
2- Range: jackson-databind-2.22.0, jackson-databind-3.1.4, jackson-databind-2.21.4, …
- Range: 2.18.0 - 2.18.9, 2.21.5, 2.22.1, 3.1.5, 3.2.1
Patches
Vulnerability mechanics
News mentions
0No linked articles in our index yet.