Listen to this Post
How CVE-2026-54515 Works
This vulnerability resides in the `BeanDeserializerBase.createContextual()` method of the Jackson-databind library, which is responsible for constructing a deserializer for a given Java type.
The core of the issue is a logic flaw in how the library handles two distinct deserialization features: per-property `@JsonIgnoreProperties` exclusions and case-insensitive property matching.
1. Initial Exclusion: When a contextual deserializer is being created, the `_handleByNameInclusion()` method is called. This method processes any `@JsonIgnoreProperties` annotations that are applied at the property level. Its job is to remove the specified properties from the deserializer’s BeanPropertyMap, which is the internal structure that tracks which JSON fields can be bound to the Java object. After this step, the deserializer correctly has a filtered map where the ignored properties are absent.
2. The Flaw: Following this, the code enters a block that handles case-insensitive deserialization, which is triggered by the `@JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES)` annotation. To enable this feature, the deserializer needs to rebuild its internal property map to account for case variations. However, the vulnerability occurs because this rebuilding process uses the original, unfiltered property map (this._beanProperties) as its source, rather than the already-filtered contextual map (contextual._beanProperties).
3. Overwrite and Bypass: The newly rebuilt map, which contains all properties including those that were supposed to be ignored, is then written back, overwriting the filtered map that was just created by _handleByNameInclusion(). This action effectively restores every property that had been removed. As a result, a property that was meant to be unwritable and excluded from deserialization becomes writable again, allowing it to be set from JSON input.
In essence, the case-insensitivity feature unintentionally undoes the security control provided by @JsonIgnoreProperties, leading to a mass-assignment-style vulnerability.
DailyCVE Form
Platform: Jackson-databind
Version: 2.8.0 – 2.18.8, 2.19.0 – 2.21.4, 3.1.0 – 3.1.3
Vulnerability: Case-insensitive deserialization bypass
Severity: Medium (5.3)
Date: 2026-06-23
Prediction: 2026-06-04 (already patched)
What Undercode Say
Analytics:
The vulnerability stems from a flawed interaction between two deserialization features. The root cause is the use of the wrong variable (this._beanProperties instead of contextual._beanProperties) when rebuilding the property map for case-insensitive matching.
Bash Commands & Codes:
To check your project’s Jackson-databind version (Maven):
mvn dependency:tree | grep jackson-databind
To check your project’s Jackson-databind version (Gradle):
gradle dependencies | grep jackson-databind
Vulnerable Code Pattern (Conceptual):
// Vulnerable logic within BeanDeserializerBase.createContextual()
// 1. Exclusions are applied
deserializer = _handleByNameInclusion(...); // Filtered map created
// 2. Case-insensitivity block rebuilds from the wrong source
if (isCaseInsensitive()) {
// BUG: Rebuilds from the original, unfiltered 'this._beanProperties'
// instead of the filtered 'contextual._beanProperties'
deserializer = deserializer.withProperties(this._beanProperties);
// The filtered map is now overwritten!
}
How Exploit:
An attacker can exploit this by crafting a JSON payload that includes a property which the application developer intended to be ignored via @JsonIgnoreProperties.
Example Scenario:
Consider a Java class:
public class User {
public String username;
@JsonIgnoreProperties("admin")
public boolean admin = false;
}
If the application is configured to use case-insensitive deserialization (e.g., via `@JsonFormat` on the class), an attacker could send the following JSON:
{
"username": "attacker",
"admin": true
}
Due to the vulnerability, the `admin` property, which should have been ignored, is successfully deserialized and set to true, granting the attacker elevated privileges.
Protection:
Immediate Action: The most effective protection is to upgrade the `jackson-databind` library to a patched version: 2.18.9, 2.21.5, or 3.1.4 or later.
Mitigation: If an immediate upgrade is not possible, consider temporarily avoiding the combination of per-property `@JsonIgnoreProperties` and `@JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES)` on the same class until the library can be updated.
Impact:
Mass Assignment: The primary impact is a mass assignment vulnerability. An attacker can set the value of fields that were intended to be read-only or hidden from the deserialization process.
Privilege Escalation / Data Tampering: If the ignored properties control security-sensitive state (e.g., isAdmin, role, accountBalance), an attacker could manipulate these fields to escalate privileges, tamper with data, or bypass business logic.
CVSS Score: The vulnerability has a CVSS base score of 5.3 (Medium).
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
