diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x
index 0bc7e01ef3..7e1d550c72 100644
--- a/release-notes/VERSION-2.x
+++ b/release-notes/VERSION-2.x
@@ -12,6 +12,8 @@ Project: jackson-databind
  (reported by Fangrun Li)
 #2704: Block one more gadget type (weblogic/oracle-aqjms)
  (reported by XuYuanzhen)
+#2765: Block one more gadget type (org.jsecurity))
+ (reported by Al1ex@knownsec)
 
 2.9.10.4 (11-Apr-2020)
 
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
index 80cc378794..7c3d4bcc3b 100644
--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -194,6 +194,9 @@ public class SubTypeValidator
         s.add("oracle.jms.AQjmsXAQueueConnectionFactory");
         s.add("oracle.jms.AQjmsXAConnectionFactory");
 
+        // [databind#2764]: org.jsecurity:
+        s.add("org.jsecurity.realm.jndi.JndiRealmFactory");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }