CVE-2026-54517
Received Received - Intake
Jackson Databind Active-View Bypass via Setterless Properties

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer._deserializeUsingPropertyBased, the active-view (@JsonView) filter was applied only to creator properties; the regular property-buffering branch performed no prop.visibleInView(activeView) check. A change making SetterlessProperty.isMerging() return true routed setterless Collection/Map properties through this unguarded path, so a setterless collection annotated with a restricted @JsonView is populated from attacker JSON even when the active view excludes it. This vulnerability is fixed in 2.21.4 and 3.1.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-54517
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
jackson jackson-databind From 2.21.0 (inc) to 2.21.5 (exc)
jackson jackson-databind 2.21.4
jackson jackson-databind 3.1.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in jackson-databind versions from 2.21.0 until 2.21.4 and 3.1.4, specifically in the BeanDeserializer._deserializeUsingPropertyBased method. The issue is that the active-view (@JsonView) filter was only applied to creator properties, but not to regular properties during property buffering. Due to a change making SetterlessProperty.isMerging() return true, setterless Collection or Map properties annotated with a restricted @JsonView could be populated from attacker-controlled JSON data even when the active view excludes them. This means that data meant to be hidden or restricted by the @JsonView annotation could be improperly deserialized and populated from malicious input.

Impact Analysis

This vulnerability can lead to unauthorized modification or injection of data into setterless Collection or Map properties that are supposed to be restricted by @JsonView annotations. An attacker could craft JSON input that populates these properties even when they should be excluded, potentially leading to data integrity issues or unexpected application behavior.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade jackson-databind to version 2.21.4 or later, or 3.1.4 or later, where the issue has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54517. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart