Description
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into creator parameters but never consults prop.visibleInView(activeView). The normal property-based creator path gates creator properties on the active view, but this unwrapped-creator replay path bypasses that check, so a constructor parameter annotated with both @JsonView(AdminView.class) and @JsonUnwrapped is populated from attacker JSON even when a more restrictive view is active. This vulnerability is fixed in 2.21.4 and 3.1.4.
Published: 2026-06-23
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

jackson-databind contains a flaw where unwrapped creator parameters annotated with @JsonView and @JsonUnwrapped are populated from incoming JSON regardless of the active view, bypassing the intended visibility restrictions. This allows an attacker to obtain data that should have been hidden, leading to unauthorized information disclosure. The weakness is classified as CWE‑863, reflecting an authorization bypass through user‑controlled keys.

Affected Systems

The vulnerability affects FasterXML jackson-databind versions 2.21.0 through 2.21.3 and any releases prior to 3.1.4. The fix is included in jackson-databind 2.21.4 and 3.1.4 (and later). Systems using these libraries for JSON deserialization are at risk when “@JsonUnwrapped” is combined with “@JsonView”.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium severity. EPSS is not available, but the lack of a KEV listing suggests no widely known active exploits yet. The vulnerability can be triggered by crafting JSON payloads that include unwrapped properties; the deserialization process will deserialize them into constructor parameters without enforcing view visibility, potentially exposing sensitive data. The attack requires the attacker to supply a JSON document to an application that uses the vulnerable deserialization path, and succeeds even when a more restrictive view is activated.

Generated by OpenCVE AI on June 24, 2026 at 02:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade jackson-databind to version 2.21.4 or later, or to 3.1.4 or later. This removes the bypass by ensuring that unwrapped creator properties respect “@JsonView” visibility constraints.
  • Review and refactor any use of @JsonUnwrapped in classes that also use @JsonView, or remove the “@JsonView” annotation on constructor parameters to eliminate the consult bypass.
  • Validate incoming JSON payloads against expected schemas or disable unwrapped deserialization where feasible to enforce strict view-based access control.

Generated by OpenCVE AI on June 24, 2026 at 02:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rcqc-6cw3-h962 jackson-databind has a @JsonView bypass for unwrapped creator parameters
History

Wed, 24 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Fasterxml
Fasterxml jackson-databind
Vendors & Products Fasterxml
Fasterxml jackson-databind

Tue, 23 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into creator parameters but never consults prop.visibleInView(activeView). The normal property-based creator path gates creator properties on the active view, but this unwrapped-creator replay path bypasses that check, so a constructor parameter annotated with both @JsonView(AdminView.class) and @JsonUnwrapped is populated from attacker JSON even when a more restrictive view is active. This vulnerability is fixed in 2.21.4 and 3.1.4.
Title jackson-databind: @JsonView bypass for unwrapped creator parameters in jackson-databind
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Fasterxml Jackson-databind
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T21:02:07.539Z

Reserved: 2026-06-15T18:40:01.650Z

Link: CVE-2026-54518

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T02:45:05Z

Weaknesses