CVE-2026-54518
Received Received - Intake
Jackson-Databind Unwrapped Creator View Bypass

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into creator parameters but never consults prop.visibleInView(activeView). The normal property-based creator path gates creator properties on the active view, but this unwrapped-creator replay path bypasses that check, so a constructor parameter annotated with both @JsonView(AdminView.class) and @JsonUnwrapped is populated from attacker JSON even when a more restrictive view is active. This vulnerability is fixed in 2.21.4 and 3.1.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-54518
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
fasterxml jackson-databind From 2.21.0 (inc) to 2.21.5 (exc)
fasterxml jackson-databind 2.21.4
fasterxml jackson-databind 3.1.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can allow an attacker to inject or manipulate data in constructor parameters that should be restricted by JSON view annotations. Specifically, attacker-controlled JSON can populate sensitive parameters even when access should be limited.

As a result, this could lead to unauthorized data exposure or manipulation, potentially compromising the integrity and confidentiality of the application data.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade jackson-databind to version 2.21.4 or later, or 3.1.4 or later, where the issue has been fixed.

Executive Summary

The vulnerability exists in jackson-databind versions from 2.21.0 until 2.21.4 and 3.1.4. It involves the UnwrappedPropertyHandler.processUnwrappedCreatorProperties() method, which replays buffered JSON into constructor parameters without checking the visibility of properties based on the active JSON view.

Normally, properties annotated with @JsonView are only populated if the active view allows it. However, this vulnerability allows an attacker to bypass that check when a constructor parameter is annotated with both @JsonView(AdminView.class) and @JsonUnwrapped, enabling attacker-controlled JSON to populate that parameter even when a more restrictive view is active.

This issue was fixed in versions 2.21.4 and 3.1.4.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54518. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart