<Vulnerability name="CVE-2026-54513">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Important</ThreatSeverity>
    <PublicDate>2026-06-23T20:53:52</PublicDate>
    <Bugzilla id="2492010" url="https://bugzilla.redhat.com/show_bug.cgi?id=2492010" xml:lang="en:us">
jackson-databind: Jackson-databind: Security bypass allows arbitrary code execution
    </Bugzilla>
    <CVSS3 status="verified">
        <CVSS3BaseScore>8.1</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-184</CWE>
    <Details xml:lang="en:us" source="Mitre">
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allowlists any array type based only on clazz.isArray(), without validating the array's component (element) type against the configured allowlist. A PTV built with allowIfSubTypeIsArray() plus an explicit concrete-type allowlist therefore still permits EvilType[] even though EvilType is not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in jackson-databind, a library used for processing data. This vulnerability allows an attacker to bypass security controls designed to validate data types. By sending specially crafted input, an attacker can force the system to process untrusted data, which may lead to the execution of malicious code. This could result in a complete compromise of the affected system, impacting its confidentiality, integrity, and availability.
    </Details>
    <Statement xml:lang="en:us">
This Important flaw in `jackson-databind` allows for a security bypass, enabling arbitrary code execution. The vulnerability arises from insufficient validation of array component types by `BasicPolymorphicTypeValidator`, which permits deserialization of unallowlisted types when processing untrusted input. This bypass of type validation can lead to a complete system compromise, affecting confidentiality, integrity, and availability in Red Hat products utilizing `jackson-databind` for data processing.
    </Statement>
    <Mitigation xml:lang="en:us">
Upgrade to version 2.18.8, 2.21.4, or 3.1.4 or later to address this vulnerability. If upgrading is not immediately possible, remove BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() from the application’s ObjectMapper configuration to eliminate the affected deserialization path. Rebuild and restart the application to apply the configuration change.

As an additional mitigation, disable polymorphic deserialization of untrusted data where possible by avoiding or removing default typing features such as activateDefaultTyping() or enableDefaultTyping(). When polymorphic deserialization is required, restrict allowed subtypes using a strict whitelist of trusted application packages and avoid broad or permissive type validation rules.
    </Mitigation>
    <AffectedRelease cpe="cpe:/a:redhat:apache_camel_quarkus:3.33">
        <ProductName>Red Hat Build of Apache Camel 4.18 for Quarkus 3.33</ProductName>
        <ReleaseDate>2026-07-08T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:36839">RHSA-2026:36839</Advisory>
        <Package name="jackson-databind">jackson-databind</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:enterprise_linux:9">
        <ProductName>Red Hat Enterprise Linux 9</ProductName>
        <ReleaseDate>2026-07-16T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:40895">RHSA-2026:40895</Advisory>
        <Package name="jackson-databind">jackson-databind-0:2.21.4-1.el9_8</Package>
    </AffectedRelease>
    <PackageState cpe="cpe:/a:redhat:cryostat:4">
        <ProductName>Cryostat 4</ProductName>
        <FixState>Affected</FixState>
        <PackageName>jackson-databind</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:ocp_tools">
        <ProductName>OpenShift Developer Tools and Services</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>jenkins</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:ocp_tools">
        <ProductName>OpenShift Developer Tools and Services</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>jenkins-2-plugins</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:ocp_tools">
        <ProductName>OpenShift Developer Tools and Services</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>ocp-tools-4/jenkins-rhel8</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:ocp_tools">
        <ProductName>OpenShift Developer Tools and Services</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>ocp-tools-4/jenkins-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:serverless:1">
        <ProductName>OpenShift Serverless</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>openshift-serverless-1/kn-ekb-dispatcher-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:serverless:1">
        <ProductName>OpenShift Serverless</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>openshift-serverless-1/kn-ekb-receiver-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:serverless:1">
        <ProductName>OpenShift Serverless</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>openshift-serverless-1/kn-eventing-integrations-aws-ddb-streams-source-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:serverless:1">
        <ProductName>OpenShift Serverless</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>openshift-serverless-1/kn-eventing-integrations-aws-s3-sink-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:serverless:1">
        <ProductName>OpenShift Serverless</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>openshift-serverless-1/kn-eventing-integrations-aws-s3-source-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:serverless:1">
        <ProductName>OpenShift Serverless</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>openshift-serverless-1/kn-eventing-integrations-aws-sns-sink-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:serverless:1">
        <ProductName>OpenShift Serverless</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>openshift-serverless-1/kn-eventing-integrations-aws-sqs-sink-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:serverless:1">
        <ProductName>OpenShift Serverless</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>openshift-serverless-1/kn-eventing-integrations-aws-sqs-source-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:serverless:1">
        <ProductName>OpenShift Serverless</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>openshift-serverless-1/kn-eventing-integrations-log-sink-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:serverless:1">
        <ProductName>OpenShift Serverless</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>openshift-serverless-1/kn-eventing-integrations-timer-source-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:ai_inference_server:3">
        <ProductName>Red Hat AI Inference Server</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>rhaiis/vllm-cuda-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:ai_inference_server:3">
        <ProductName>Red Hat AI Inference Server</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>rhaii/vllm-gaudi-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:amq_broker:7">
        <ProductName>Red Hat AMQ Broker 7</ProductName>
        <FixState>Affected</FixState>
        <PackageName>jackson-databind</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:amq_clients:2023">
        <ProductName>Red Hat AMQ Clients</ProductName>
        <FixState>Affected</FixState>
        <PackageName>jackson-databind</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:ansible_automation_platform:2">
        <ProductName>Red Hat Ansible Automation Platform 2</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>ansible-automation-platform-27/de-minimal-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:ansible_automation_platform:2">
        <ProductName>Red Hat Ansible Automation Platform 2</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>ansible-automation-platform-27/de-supported-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:ansible_automation_platform:2">
        <ProductName>Red Hat Ansible Automation Platform 2</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>python3.11-drools-jpy-jar</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:ansible_automation_platform:2">
        <ProductName>Red Hat Ansible Automation Platform 2</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>python3.12-drools-jpy-jar</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:ansible_automation_platform:2">
        <ProductName>Red Hat Ansible Automation Platform 2</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>python3x-drools-jpy-jar</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:ansible_automation_platform:2">
        <ProductName>Red Hat Ansible Automation Platform 2</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>python-drools-jpy-jar</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:camel_quarkus:3">
        <ProductName>Red Hat build of Apache Camel 4 for Quarkus 3</ProductName>
        <FixState>Affected</FixState>
        <PackageName>jackson-databind</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:camel_spring_boot:4">
        <ProductName>Red Hat build of Apache Camel for Spring Boot 4</ProductName>
        <FixState>Affected</FixState>
        <PackageName>jackson-databind</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:apache_camel_hawtio:4">
        <ProductName>Red Hat build of Apache Camel - HawtIO 4</ProductName>
        <FixState>Affected</FixState>
        <PackageName>jackson-databind</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:apicurio_registry:3">
        <ProductName>Red Hat build of Apicurio Registry 3</ProductName>
        <FixState>Affected</FixState>
        <PackageName>jackson-databind</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:debezium:3">
        <ProductName>Red Hat build of Debezium 3</ProductName>
        <FixState>Will not fix</FixState>
        <PackageName>jackson-databind</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:build_keycloak:">
        <ProductName>Red Hat Build of Keycloak</ProductName>
        <FixState>Affected</FixState>
        <PackageName>jackson-databind</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:build_keycloak:">
        <ProductName>Red Hat Build of Keycloak</ProductName>
        <FixState>Affected</FixState>
        <PackageName>rhbk/keycloak-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:build_keycloak:">
        <ProductName>Red Hat Build of Keycloak</ProductName>
        <FixState>Affected</FixState>
        <PackageName>rhbk/keycloak-rhel9-operator</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:build_keycloak:">
        <ProductName>Red Hat Build of Keycloak</ProductName>
        <FixState>Affected</FixState>
        <PackageName>rhbk-openshift-rhel9/rhbk-openshift-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:build_keycloak:">
        <ProductName>Red Hat Build of Keycloak</ProductName>
        <FixState>Affected</FixState>
        <PackageName>rhbk-rhel9-operator/rhbk-rhel9-operator</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:quarkus:3">
        <ProductName>Red Hat build of Quarkus</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>jackson-databind</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:certificate_system:10">
        <ProductName>Red Hat Certificate System 10</ProductName>
        <FixState>Affected</FixState>
        <PackageName>redhat-pki:10/redhat-pki</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jboss_data_grid:8">
        <ProductName>Red Hat Data Grid 8</ProductName>
        <FixState>Affected</FixState>
        <PackageName>jackson-databind</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:10">
        <ProductName>Red Hat Enterprise Linux 10</ProductName>
        <FixState>Affected</FixState>
        <PackageName>dogtag-pki</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <FixState>Affected</FixState>
        <PackageName>pki-deps:10.6/jackson-databind</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:enterprise_linux_ai:3">
        <ProductName>Red Hat Enterprise Linux AI (RHEL AI) 3</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>rhelai3/bootc-gaudi-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jboss_enterprise_application_platform:7">
        <ProductName>Red Hat JBoss Enterprise Application Platform 7</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>eap74-els-openjdk11-openshift-rhel8/eap74-els-openjdk11-openshift-rhel8</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jboss_enterprise_application_platform:7">
        <ProductName>Red Hat JBoss Enterprise Application Platform 7</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>eap74-els-openjdk17-openshift-rhel8/eap74-els-openjdk17-openshift-rhel8</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jboss_enterprise_application_platform:7">
        <ProductName>Red Hat JBoss Enterprise Application Platform 7</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>eap74-els-openjdk8-openshift-rhel8/eap74-els-openjdk8-openshift-rhel8</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jboss_enterprise_application_platform:7">
        <ProductName>Red Hat JBoss Enterprise Application Platform 7</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>jackson-databind</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jboss_enterprise_application_platform:7">
        <ProductName>Red Hat JBoss Enterprise Application Platform 7</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>jboss-eap-7/eap74-els-openjdk17-openshift-rhel8</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jboss_enterprise_application_platform:8">
        <ProductName>Red Hat JBoss Enterprise Application Platform 8</ProductName>
        <FixState>Affected</FixState>
        <PackageName>jackson-databind</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jbosseapxp">
        <ProductName>Red Hat JBoss Enterprise Application Platform Expansion Pack</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>jackson-databind</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jbosseapxp">
        <ProductName>Red Hat JBoss Enterprise Application Platform Expansion Pack</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>jackson-databind-2.15.0.jar</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jbosseapxp">
        <ProductName>Red Hat JBoss Enterprise Application Platform Expansion Pack</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>jackson-databind-2.15.0.module</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jbosseapxp">
        <ProductName>Red Hat JBoss Enterprise Application Platform Expansion Pack</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>jackson-databind-nullable</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:lightspeed_for_runtimes:1">
        <ProductName>Red Hat Lightspeed for Runtimes Operator</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>rh-lightspeed-runtimes/runtimes-agent-init-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:offline_knowledge_portal:1">
        <ProductName>Red Hat Offline Knowledge Portal</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>offline-knowledge-portal/rhokp-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>rhoai/odh-modelmesh-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>rhoai/odh-pipeline-runtime-datascience-cpu-py312-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>rhoai/odh-pipeline-runtime-pytorch-cuda-py312-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>rhoai/odh-pipeline-runtime-pytorch-rocm-py312-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>rhoai/odh-pipeline-runtime-tensorflow-cuda-py312-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>rhoai/odh-pipeline-runtime-tensorflow-rocm-py312-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>rhoai/odh-spark-operator-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>rhoai/odh-th06-cpu-torch210-py312-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>rhoai/odh-th06-cpu-torch291-py312-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>rhoai/odh-th06-cuda130-torch210-py312-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>rhoai/odh-th06-cuda130-torch291-py312-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>rhoai/odh-th06-rocm64-torch291-py312-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>rhoai/odh-trustyai-service-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>rhoai/odh-vllm-gaudi-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>rhoai/odh-workbench-jupyter-datascience-cpu-py312-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>rhoai/odh-workbench-jupyter-pytorch-cuda-py312-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>rhoai/odh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>rhoai/odh-workbench-jupyter-pytorch-rocm-py312-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>rhoai/odh-workbench-jupyter-tensorflow-cuda-py312-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>rhoai/odh-workbench-jupyter-tensorflow-rocm-py312-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>rhoai/odh-workbench-jupyter-trustyai-cpu-py312-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_devspaces:3">
        <ProductName>Red Hat OpenShift Dev Spaces</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>devspaces/multicluster-redirector-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_devspaces:3">
        <ProductName>Red Hat OpenShift Dev Spaces</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>devspaces/openvsx-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_devspaces:3">
        <ProductName>Red Hat OpenShift Dev Spaces</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>devspaces/pluginregistry-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_devspaces:3">
        <ProductName>Red Hat OpenShift Dev Spaces</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>devspaces/server-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:satellite:6">
        <ProductName>Red Hat Satellite 6</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>candlepin</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:satellite:6">
        <ProductName>Red Hat Satellite 6</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>openvox-server</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:satellite:6">
        <ProductName>Red Hat Satellite 6</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>puppetserver</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:satellite:6">
        <ProductName>Red Hat Satellite 6</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>satellite-capsule:el8/puppetserver</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:satellite:6">
        <ProductName>Red Hat Satellite 6</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>satellite:el8/candlepin</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:red_hat_single_sign_on:7">
        <ProductName>Red Hat Single Sign-On 7</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>jackson-databind</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:amq_streams:2">
        <ProductName>streams for Apache Kafka 2</ProductName>
        <FixState>Affected</FixState>
        <PackageName>jackson-databind</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:amq_streams:3">
        <ProductName>streams for Apache Kafka 3</ProductName>
        <FixState>Affected</FixState>
        <PackageName>jackson-databind</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-54513
https://nvd.nist.gov/vuln/detail/CVE-2026-54513
https://github.com/FasterXML/jackson-databind/commit/01d1692c8d0ed03e51a0e3c4f8a9e6908e4931e5
https://github.com/FasterXML/jackson-databind/commit/24529da29fdf46ff94ca38de9ebf31cd188f5e8e
https://github.com/FasterXML/jackson-databind/issues/5981
https://github.com/FasterXML/jackson-databind/issues/5983
https://github.com/FasterXML/jackson-databind/pull/5984
https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-rmj7-2vxq-3g9f
    </References>
</Vulnerability>