Jackson-databind @JsonView Bypass for Setterless Collections before 2.21.4/3.1.4
CVE-2026-54517 Published on June 23, 2026
jackson-databind: @JsonView bypass for setterless creator properties
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer._deserializeUsingPropertyBased, the active-view (@JsonView) filter was applied only to creator properties; the regular property-buffering branch performed no prop.visibleInView(activeView) check. A change making SetterlessProperty.isMerging() return true routed setterless Collection/Map properties through this unguarded path, so a setterless collection annotated with a restricted @JsonView is populated from attacker JSON even when the active view excludes it. This vulnerability is fixed in 2.21.4 and 3.1.4.
Vulnerability Analysis
CVE-2026-54517 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.
Weakness Type
What is an AuthZ Vulnerability?
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.
CVE-2026-54517 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2026-54517
Want to know whenever a new CVE is published for FasterXML Jackson Databind? stack.watch will email you.
Affected Versions
FasterXML jackson-databind:- Version >= 2.21.0, < 2.21.4 is affected.
- Version >= 3.0.0, < 3.1.4 is affected.