diff --git a/.trivyignore b/.trivyignore
index 034ca026..c8f56aed 100644
--- a/.trivyignore
+++ b/.trivyignore
@@ -6,7 +6,9 @@
 # See: UID2-6670
 GHSA-72hv-8253-57qq exp:2026-09-01
 
-# jackson-databind data-binding vulnerability - no upstream fix released yet (fix targets: 2.18.8, 2.21.4, 3.1.4)
+# jackson-databind polymorphic deserialization bypass - not exploitable, uid2-shared does not enable polymorphic
+# typing (no @JsonTypeInfo, enableDefaultTyping, or PolymorphicTypeValidator usage). No upstream fix released yet
+# (fix targets: 2.18.8, 2.21.4, 3.1.4; latest available: 2.18.4).
 # See: UID2-7364
 CVE-2026-54512 exp:2026-07-25
 CVE-2026-54513 exp:2026-07-25
diff --git a/pom.xml b/pom.xml
index 813251d4..26042f06 100644
--- a/pom.xml
+++ b/pom.xml
@@ -206,15 +206,10 @@
             <artifactId>cbor</artifactId>
             <version>0.9</version>
         </dependency>
-        <dependency>
-            <groupId>com.fasterxml.jackson.core</groupId>
-            <artifactId>jackson-core</artifactId>
-            <version>2.19.0</version>
-        </dependency>
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-databind</artifactId>
-            <version>2.19.0</version>
+            <version>2.14.2</version>
         </dependency>
         <dependency>
             <groupId>org.projectlombok</groupId>