Bug 2491996 (CVE-2026-54516)

Summary: CVE-2026-54516 jackson-databind: jackson-databind: Security bypass due to improper handling of renamed properties
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aakkiang, aazores, abrianik, alinfoot, anthomas, ant, anujha, aschwart, asoldano, asyoung, aszczucz, ataylor, avibelli, bbaranow, bbrownin, bgeorges, bmaxwell, boliveir, bstansbe, ccranfor, cescoffi, cfu, chfoley, cmah, dandread, dbruscin, dfreiber, dhanak, dkreling, dlofthou, drichtar, drosa, drow, dschmidt, dsimansk, dtrifiro, eaguilar, ebaron, edewata, ehelms, ehugonne, ewittman, fmariani, fmongiar, ggainey, ggrzybek, gkimetto, gmalinko, gsmet, gtanzill, istudens, ivassile, iweiss, janstey, jburrell, jbuscemi, jhollowa, jkoehler, jlanda, jmagne, jmartisk, jnethert, jolong, jpasqual, jpechane, jraez, juwatts, jwon, kaycoth, kgaikwad, kingland, kshier, kvanderr, lphiri, lthon, manderse, mcarlett, mfargett, mhulan, mnovotny, mosmerov, mposolda, msvehla, nipatil, nmoumoul, nwallace, olubyans, osousa, pantinor, parichar, pberan, pcreech, pdelbell, pesilva, pgallagh, pjindal, pmackay, prichard, prisingh, probinso, rbryant, rchan, rgodfrey, rguimara, rhel-process-autobot, rkubis, rmartinc, rruss, rstancel, rstepani, rsvoboda, sausingh, sbiarozk, sdawley, simaishi, skhandel, smallamp, snegrini, ssilvert, stcannon, sthirugn, sthorger, swoodman, taherrin, tasato, tcunning, teagle, thjenkin, tmalecek, tqvarnst, vdosoudi, vkumar, vmuzikar, watson-tool-maintainers, weaton, yfang, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in jackson-databind. This vulnerability allows a remote attacker to bypass security controls by exploiting an issue in how properties are handled when both @JsonProperty (for renaming) and @JsonIgnore (for ignoring) annotations are used. By supplying a specially crafted JSON key, an attacker can directly write to a private data field, circumventing the intended security restrictions and potentially leading to unexpected data modification.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2495349, 2495353, 2495358, 2495360, 2495363, 2495366, 2495369, 2495371, 2495373, 2495343, 2495347    
Bug Blocks:    

Description OSIDB Bzimport 2026-06-23 22:01:15 UTC
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, POJOPropertiesCollector._renameProperties() allows a property with @JsonProperty("renamed") on the getter and @JsonIgnore on the setter to be renamed rather than dropped. With MapperFeature.INFER_PROPERTY_MUTATORS enabled (default), the private backing field is retained; during deserialization BeanDeserializerFactory.addBeanProps() sees hasField()==true, builds a FieldProperty, and makes the backing field writable. An attacker supplying the renamed JSON key writes the backing field directly, bypassing the @JsonIgnore on the setter. This vulnerability is fixed in 3.1.4.