๐Ÿ” CVE Alert

CVE-2026-59888

MEDIUM 6.5

jackson-databind: @JsonIgnore on a Record property is bypassed with a PropertyNamingStrategy

CVSS Score
6.5
EPSS Score
0.0%
EPSS Percentile
0th

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.15.0 until 2.18.8, 2.21.4, and 3.1.4, Java Records using a PropertyNamingStrategy can bypass @JsonIgnore because POJOPropertiesCollector._removeUnwantedIgnorals() records an ignored component under its original implicit name before _renameUsing() applies the naming strategy, allowing the renamed JSON key to be assigned to the Record constructor parameter. This issue is fixed in versions 2.18.8, 2.21.4, and 3.1.4.

CWE CWE-915
Vendor fasterxml
Product jackson-databind
Published Jul 14, 2026
Last Updated Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for fasterxml jackson-databind

Be the first to know when new medium vulnerabilities affecting fasterxml jackson-databind are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Affected Versions

FasterXML / jackson-databind
>= 2.15.0, < 2.18.8 >= 2.19.0, < 2.21.4 >= 3.0.0, < 3.1.4

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-3pjw-73gf-8qr5 github.com: https://github.com/FasterXML/jackson-databind/pull/5974 github.com: https://github.com/FasterXML/jackson-databind/commit/baa2cdf5ca2b2717fbb88d91955d69d8651df3e4 github.com: https://github.com/FasterXML/jackson-databind/commit/c7c678360624da5bc7eed2152789fa522880db9d