CVE Catalog

CVE-2026-54517

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.24%

15th percentile - higher than 15% of all known CVEs

Summary

In jackson-databind versions 2.21.0 to 2.21.4 and 3.1.4, the @JsonView filter is not applied to setterless Collection/Map properties, allowing attacker-supplied JSON to be processed even when the active view should exclude it.

Risk Assessment

The risk involves unauthorized data access or modification when an application uses @JsonView annotations to restrict field visibility. An attacker can bypass these restrictions and inject data into objects that should be protected.

Recommendation

Update jackson-databind to version 2.21.4 or 3.1.4 immediately. If an update is not possible, consider temporarily disabling merging for setterless Collection/Map properties.

Original NVD description (English source)

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer._deserializeUsingPropertyBased, the active-view (@JsonView) filter was applied only to creator properties; the regular property-buffering branch performed no prop.visibleInView(activeView) check. A change making SetterlessProperty.isMerging() return true routed setterless Collection/Map properties through this unguarded path, so a setterless collection annotated with a restricted @JsonView is populated from attacker JSON even when the active view excludes it. This vulnerability is fixed in 2.21.4 and 3.1.4.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS