CVE-2026-54517 in jackson-databind
Summary
by MITRE • 06/24/2026
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer._deserializeUsingPropertyBased, the active-view (@JsonView) filter was applied only to creator properties; the regular property-buffering branch performed no prop.visibleInView(activeView) check. A change making SetterlessProperty.isMerging() return true routed setterless Collection/Map properties through this unguarded path, so a setterless collection annotated with a restricted @JsonView is populated from attacker JSON even when the active view excludes it. This vulnerability is fixed in 2.21.4 and 3.1.4.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/24/2026
This vulnerability affects the jackson-databind library's data-binding functionality, specifically within the BeanDeserializer._deserializeUsingPropertyBased method where improper view filtering occurs during object deserialization. The flaw exists in versions 2.21.0 through 2.21.3 and 3.1.0 through 3.1.3, creating a security risk that allows unauthorized data exposure. The vulnerability stems from inconsistent application of @JsonView annotations across different code paths during deserialization, where creator properties receive proper view filtering while regular property buffering does not.
The technical implementation issue arises from the distinction between how jackson processes properties during deserialization. When processing setterless Collection/Map properties, a recent change causing SetterlessProperty.isMerging() to return true routes these properties through an unguarded code path that bypasses the active-view filtering mechanism. This creates a scenario where attacker-controlled JSON input can populate restricted collections even when the current JsonView excludes them from visibility. The vulnerability manifests because the regular property-buffering branch fails to perform the prop.visibleInView(activeView) check that properly guards creator properties.
The operational impact of this vulnerability is significant as it allows attackers to bypass view-based access controls during deserialization operations. An attacker could craft malicious JSON input containing sensitive data within setterless collection properties and, when processed by an application using jackson-databind, the restricted data would be populated into the target object despite being excluded by the active @JsonView annotation. This represents a direct violation of information flow control principles and could lead to exposure of sensitive data that should remain hidden under specific view configurations.
This vulnerability aligns with CWE-692: Improper Filtering of Special Elements and relates to ATT&CK technique T1566.001: Phishing via Social Media, as it enables attackers to exploit deserialization weaknesses to gain access to restricted information. The flaw also connects to CWE-284: Improper Access Controls, since it allows bypassing access restrictions that should be enforced during object construction. Organizations using jackson-databind in applications with view-based security controls are at risk, particularly those handling sensitive data where different user roles or contexts require different data exposure levels.
The recommended mitigation involves upgrading to patched versions 2.21.4 and 3.1.4 where the fix ensures consistent application of JsonView filtering across all property processing paths. Additionally, organizations should implement comprehensive input validation for deserialization operations and consider applying additional security layers such as request payload size limits and content-type restrictions. Security teams should also review existing applications that utilize jackson-databind with JsonView annotations to ensure proper configuration and identify potential attack vectors through deserialization processes.