CVE-2026-54517
Analyzed Analyzed - Analysis Complete

Jackson Databind Active-View Bypass via Setterless Properties

Vulnerability report for CVE-2026-54517, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-23

Last updated on: 2026-06-27

Assigner: GitHub, Inc.

Description

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer._deserializeUsingPropertyBased, the active-view (@JsonView) filter was applied only to creator properties; the regular property-buffering branch performed no prop.visibleInView(activeView) check. A change making SetterlessProperty.isMerging() return true routed setterless Collection/Map properties through this unguarded path, so a setterless collection annotated with a restricted @JsonView is populated from attacker JSON even when the active view excludes it. This vulnerability is fixed in 2.21.4 and 3.1.4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-23
Last Modified
2026-06-27
Generated
2026-07-14
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
fasterxml jackson-databind From 3.0.0 (inc) to 3.1.4 (exc)
fasterxml jackson-databind From 2.21.0 (inc) to 2.21.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in jackson-databind versions from 2.21.0 until 2.21.4 and 3.1.4, specifically in the BeanDeserializer._deserializeUsingPropertyBased method. The issue is that the active-view (@JsonView) filter was only applied to creator properties, but not to regular properties during property buffering. Due to a change making SetterlessProperty.isMerging() return true, setterless Collection or Map properties annotated with a restricted @JsonView could be populated from attacker-controlled JSON data even when the active view excludes them. This means that data meant to be hidden or restricted by the @JsonView annotation could be improperly deserialized and populated from malicious input.

Impact Analysis

This vulnerability can lead to unauthorized modification or injection of data into setterless Collection or Map properties that are supposed to be restricted by @JsonView annotations. An attacker could craft JSON input that populates these properties even when they should be excluded, potentially leading to data integrity issues or unexpected application behavior.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade jackson-databind to version 2.21.4 or later, or 3.1.4 or later, where the issue has been fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54517. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart