Description
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer._deserializeUsingPropertyBased, the active-view (@JsonView) filter was applied only to creator properties; the regular property-buffering branch performed no prop.visibleInView(activeView) check. A change making SetterlessProperty.isMerging() return true routed setterless Collection/Map properties through this unguarded path, so a setterless collection annotated with a restricted @JsonView is populated from attacker JSON even when the active view excludes it. This vulnerability is fixed in 2.21.4 and 3.1.4.
Published: 2026-06-23
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

jackson‑databind versions from 2.21.0 up to 2.21.3 and all releases prior to 2.21.4 contain a flaw in the BeanDeserializer routine that causes the @JsonView filter to be applied only to creator properties. Setterless Collection or Map properties that are annotated with @JsonView but lack a setter are processed through an unguarded branch, allowing a malicious JSON payload to populate these otherwise restricted properties, thereby bypassing intended visibility or security controls. This flaw corresponds to CWE‑1220 and CWE‑863 and represents a data‑integrity violation within the application.

Affected Systems

The vulnerability affects FasterXML’s jackson‑databind library in versions 2.21.0 through 2.21.3 and in all releases prior to 3.1.4 are listed.

Risk and Exploitability

The CVSS score of 5.3 places the issue in the moderate range. The EPSS score of < 1% suggests a low but nonzero exploitation probability, and the vulnerability is not listed in the CISA KEV catalog, indicating no widespread exploitation yet. The attack vector is likely remote; any application that accepts externally supplied JSON and uses jackson‑databind for deserialization can be targeted. By crafting a payload that includes a setterless collection or map annotated with a restricted @JsonView, an attacker can inject data that the application believes to be hidden by view filtering. The exploitation requires only normal JSON input and no special privileges, making the risk tangible for services that rely on @JsonView for access control.

Generated by OpenCVE AI on July 1, 2026 at 12:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Jackson 2.21.4 or 3.1.4 where the filter logic is corrected
  • If an immediate upgrade is not possible, review the code to eliminate setterless collection or map properties that rely on @JsonView for visibility, or explicitly block such properties from being deserialized
  • Verify that all @JsonView annotations are correctly applied and that no public properties remain view‑protected by relying solely on the view mechanism
  • Consider adding application‑level validation or filtering to prevent untrusted data from affecting sensitive properties until the library is patched

Generated by OpenCVE AI on July 1, 2026 at 12:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5hh8-q8hv-fr38 jackson-databind has @JsonView bypass for setterless creator properties
History

Wed, 01 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1220
References
Metrics threat_severity

None

threat_severity

Moderate


Wed, 24 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
First Time appeared Fasterxml
Fasterxml jackson-databind
Vendors & Products Fasterxml
Fasterxml jackson-databind

Tue, 23 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer._deserializeUsingPropertyBased, the active-view (@JsonView) filter was applied only to creator properties; the regular property-buffering branch performed no prop.visibleInView(activeView) check. A change making SetterlessProperty.isMerging() return true routed setterless Collection/Map properties through this unguarded path, so a setterless collection annotated with a restricted @JsonView is populated from attacker JSON even when the active view excludes it. This vulnerability is fixed in 2.21.4 and 3.1.4.
Title jackson-databind: @JsonView bypass for setterless creator properties
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}


Subscriptions

Fasterxml Jackson-databind
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T19:13:32.607Z

Reserved: 2026-06-15T18:40:01.650Z

Link: CVE-2026-54517

cve-icon Vulnrichment

Updated: 2026-06-24T19:13:19.118Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-23T20:47:22Z

Links: CVE-2026-54517 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T13:00:15Z

Weaknesses
  • CWE-1220

    Insufficient Granularity of Access Control

  • CWE-863

    Incorrect Authorization