Description
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer._deserializeUsingPropertyBased, the active-view (@JsonView) filter was applied only to creator properties; the regular property-buffering branch performed no prop.visibleInView(activeView) check. A change making SetterlessProperty.isMerging() return true routed setterless Collection/Map properties through this unguarded path, so a setterless collection annotated with a restricted @JsonView is populated from attacker JSON even when the active view excludes it. This vulnerability is fixed in 2.21.4 and 3.1.4.
Published: 2026-06-23
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

jackson‑databind versions from 2.21.0 up to 2.21.3 and all releases prior to 3.1.4 contain a flaw in the BeanDeserializer routine that causes the @JsonView filter to be applied only to creator properties. Setterless Collection or Map properties that are annotated with @JsonView but lack a setter are processed through an unguarded branch, allowing a malicious JSON payload to populate these otherwise restricted properties, thereby bypassing intended visibility or security controls. This flaw corresponds to CWE‑863 and represents a data‑integrity violation within the application.

Affected Systems

The vulnerability affects FasterXML’s jackson‑databind library in versions 2.21.0 through 2.21.3 and in all releases prior to 3.1.4. No other vendors or products are listed.

Risk and Exploitability

The CVSS score of 5.3 places the issue in the moderate range. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation yet. The attack vector is likely remote; any application that accepts externally supplied JSON and uses jackson‑databind for deserialization can be targeted. By crafting a payload that includes a setterless collection or map annotated with a restricted @JsonView, an attacker can inject data that the application believes to be hidden by view filtering. The exploitation requires only normal JSON input and no special privileges, making the risk tangible for services that rely on @JsonView for access control.

Generated by OpenCVE AI on June 24, 2026 at 03:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Jackson Databind to version 2.21.4 or 3.1.4 where the filter logic is corrected
  • If an immediate upgrade is not possible, review the code to eliminate setterless collection or map properties that rely on @JsonView for visibility, or explicitly block such properties from being deserialized
  • Verify that all @JsonView annotations are correctly applied and that no public properties remain view‑protected by relying solely on the view mechanism
  • Consider adding application‑level validation or filtering to prevent untrusted data from affecting sensitive properties until the library is patched

Generated by OpenCVE AI on June 24, 2026 at 03:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5hh8-q8hv-fr38 jackson-databind has @JsonView bypass for setterless creator properties
History

Wed, 24 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
First Time appeared Fasterxml
Fasterxml jackson-databind
Vendors & Products Fasterxml
Fasterxml jackson-databind

Tue, 23 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer._deserializeUsingPropertyBased, the active-view (@JsonView) filter was applied only to creator properties; the regular property-buffering branch performed no prop.visibleInView(activeView) check. A change making SetterlessProperty.isMerging() return true routed setterless Collection/Map properties through this unguarded path, so a setterless collection annotated with a restricted @JsonView is populated from attacker JSON even when the active view excludes it. This vulnerability is fixed in 2.21.4 and 3.1.4.
Title jackson-databind: @JsonView bypass for setterless creator properties
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Fasterxml Jackson-databind
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T20:47:22.977Z

Reserved: 2026-06-15T18:40:01.650Z

Link: CVE-2026-54517

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T03:30:05Z

Weaknesses