CVE-2026-54518
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk11th percentile - higher than 11% of all known CVEs
Summary
Vulnerability in jackson-databind related to unwrapped properties in constructors. The UnwrappedPropertyHandler.processUnwrappedCreatorProperties() method does not check @JsonView visibility, allowing bypass of view restrictions and injection of JSON data into a constructor parameter annotated with both @JsonView and @JsonUnwrapped, even when a more restrictive view is active.
Risk Assessment
An attacker can supply JSON data that gets deserialized into a constructor parameter that should be hidden in a given view, potentially leading to unauthorized access to sensitive data or violation of application logic.
Recommendation
Update jackson-databind to version 2.21.4 or 3.1.4, depending on the branch used. If an update is not possible, avoid combining @JsonView with @JsonUnwrapped in constructors.
Original NVD description (English source)
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into creator parameters but never consults prop.visibleInView(activeView). The normal property-based creator path gates creator properties on the active view, but this unwrapped-creator replay path bypasses that check, so a constructor parameter annotated with both @JsonView(AdminView.class) and @JsonUnwrapped is populated from attacker JSON even when a more restrictive view is active. This vulnerability is fixed in 2.21.4 and 3.1.4.

