CVE-2026-54518
Analyzed Analyzed - Analysis Complete

Jackson-Databind Unwrapped Creator View Bypass

Vulnerability report for CVE-2026-54518, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-23

Last updated on: 2026-06-27

Assigner: GitHub, Inc.

Description

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into creator parameters but never consults prop.visibleInView(activeView). The normal property-based creator path gates creator properties on the active view, but this unwrapped-creator replay path bypasses that check, so a constructor parameter annotated with both @JsonView(AdminView.class) and @JsonUnwrapped is populated from attacker JSON even when a more restrictive view is active. This vulnerability is fixed in 2.21.4 and 3.1.4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-23
Last Modified
2026-06-27
Generated
2026-07-14
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
fasterxml jackson-databind From 3.0.0 (inc) to 3.1.4 (exc)
fasterxml jackson-databind From 2.21.0 (inc) to 2.21.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in jackson-databind versions from 2.21.0 until 2.21.4 and 3.1.4. It involves the UnwrappedPropertyHandler.processUnwrappedCreatorProperties() method, which replays buffered JSON into constructor parameters without checking the visibility of properties based on the active JSON view.

Normally, properties annotated with @JsonView are only populated if the active view allows it. However, this vulnerability allows an attacker to bypass that check when a constructor parameter is annotated with both @JsonView(AdminView.class) and @JsonUnwrapped, enabling attacker-controlled JSON to populate that parameter even when a more restrictive view is active.

This issue was fixed in versions 2.21.4 and 3.1.4.

Impact Analysis

This vulnerability can allow an attacker to inject or manipulate data in constructor parameters that should be restricted by JSON view annotations. Specifically, attacker-controlled JSON can populate sensitive parameters even when access should be limited.

As a result, this could lead to unauthorized data exposure or manipulation, potentially compromising the integrity and confidentiality of the application data.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade jackson-databind to version 2.21.4 or later, or 3.1.4 or later, where the issue has been fixed.

Compliance Impact

This vulnerability allows unauthorized access to sensitive data by bypassing the @JsonView annotation, which is intended to restrict data exposure based on views. Because it enables attackers to populate constructor parameters annotated with restrictive views from untrusted JSON input, it can lead to unauthorized data exposure or modification.

Such unauthorized data exposure or manipulation can negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls on access to sensitive personal or health information.

By circumventing intended access controls, this vulnerability increases the risk of confidentiality and integrity breaches, potentially resulting in non-compliance with these regulations.

Detection Guidance

This vulnerability is related to the Jackson Databind library's handling of @JsonView annotations for unwrapped creator parameters during JSON deserialization. Detection involves identifying if your system or application is using a vulnerable version of Jackson Databind.

To detect the vulnerability on your system, you should check the version of the jackson-databind library in use. Versions from 2.21.0 up to 2.21.3 inclusive, and from 3.0.0 up to 3.1.3 inclusive, are vulnerable. Versions 2.21.4 and 3.1.4 or later contain the fix.

  • Use dependency management tools or commands to check the jackson-databind version, for example:
  • For Maven projects: mvn dependency:list | grep jackson-databind
  • For Gradle projects: ./gradlew dependencies --configuration runtimeClasspath | grep jackson-databind
  • For systems with installed JARs, you can check the version by inspecting the JAR manifest or filename, e.g.:
  • unzip -p jackson-databind-*.jar META-INF/MANIFEST.MF | grep 'Implementation-Version'

There are no specific network detection commands or signatures provided in the resources, as this vulnerability is a library-level issue affecting deserialization logic rather than a network-level exploit detectable by scanning traffic.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54518. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart