{"id":"CVE-2026-59889","summary":"jackson-databind: @JsonView ypassed for @JsonUnwrapped container properties on deserialization","details":"jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.18.0 until 2.18.9, 2.21.5, 2.22.1, 3.1.5, and 3.2.1, UnwrappedPropertyHandler.processUnwrapped() replays buffered JSON for a @JsonUnwrapped property and calls prop.deserializeAndSet() without a prop.visibleInView(ctxt.getActiveView()) guard, allowing a property annotated with both @JsonView and @JsonUnwrapped to be written from attacker JSON under a less-privileged active view. This issue is fixed in versions 2.18.9, 2.21.5, 2.22.1, 3.1.5, and 3.2.1.","aliases":["GHSA-5gvw-p9qm-jgwh"],"modified":"2026-07-18T03:47:45.395567493Z","published":"2026-07-14T19:57:48.473Z","related":["openSUSE-SU-2026:11279-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59889.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-863"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59889.json"},{"type":"ADVISORY","url":"https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-5gvw-p9qm-jgwh"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-59889"},{"type":"REPORT","url":"https://github.com/FasterXML/jackson-databind/issues/6060"},{"type":"FIX","url":"https://github.com/FasterXML/jackson-databind/commit/d627a8a86fcb062429282f79f3f256f181ed2c7b"},{"type":"FIX","url":"https://github.com/FasterXML/jackson-databind/pull/6056"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/fasterxml/jackson-databind","events":[{"introduced":"6ecd5fc917ecc2f9b45bd476de70f01849239902"},{"introduced":"220ee04ec724e5f5ea60fe5e638670e83e994765"},{"introduced":"ed2541fedfc6005fd249343f01e6090c8c3395f6"},{"introduced":"d51183e4fa171235bcd31c63268c5ad1745afb8c"},{"introduced":"0f45333297a3d0504f2706c2aff2177586150d25"},{"fixed":"f7b3266eb21a232b35520d31ce5e304beb8f1c7c"},{"fixed":"09b89813cde3c8a56c696b5b5fb415fa4a1f1d51"},{"fixed":"446f4ce26371980a5634cf47fedc376b5e411ac6"},{"fixed":"a4f1f5e2b7bfce0ca55db9d4769de98fa911df83"},{"fixed":"5d74e874671faef1d786cd6d25abfd02daa4c682"},{"fixed":"d627a8a86fcb062429282f79f3f256f181ed2c7b"}],"database_specific":{"source":["AFFECTED_FIELD","REFERENCES"],"extracted_events":[{"introduced":"2.18.0"},{"fixed":"2.18.9"},{"introduced":"2.21.0"},{"fixed":"2.21.5"},{"introduced":"2.22.0"},{"fixed":"2.22.1"},{"introduced":"3.0.0"},{"fixed":"3.1.5"},{"introduced":"3.2.0"},{"fixed":"3.2.1"}]}}],"versions":["jackson-databind-3.2.0","jackson-databind-2.22.0","jackson-databind-3.1.4","jackson-databind-2.21.4","jackson-databind-2.18.8","jackson-databind-3.1.3","jackson-databind-2.21.3","jackson-databind-2.18.7","jackson-databind-3.1.2","jackson-databind-3.1.1","jackson-databind-2.21.2","jackson-databind-3.1.0","jackson-databind-2.21.1","jackson-databind-2.18.6","jackson-databind-3.1.0-rc1","jackson-databind-2.21.0","jackson-databind-2.18.5","jackson-databind-3.0.1","jackson-databind-3.0.0","jackson-databind-2.18.4","jackson-databind-2.18.3","jackson-databind-2.18.2","jackson-databind-2.18.1","jackson-databind-2.18.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59889.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}]}