Listen to this Post
How CVE-2026-54517 Works
The vulnerability resides in FasterXML Jackson-databind’s `BeanDeserializer._deserializeUsingPropertyBased` method. This method is responsible for deserializing JSON input into Java objects, handling properties that are populated during the deserialization process. A critical security mechanism in Jackson is the `@JsonView` annotation, which allows developers to define view-based filtering—restricting which fields are serialized or deserialized based on the active view context. This is commonly used to prevent exposure of sensitive fields (e.g., admin-only properties) when processing untrusted input.
Prior to the fix, the `@JsonView` filter was correctly applied only to creator properties—those bound to constructor parameters or factory method arguments. However, the regular property-buffering branch, which handles standard bean properties, did not perform a `prop.visibleInView(activeView)` check. This meant that for most properties, the view filter was correctly enforced.
The flaw was triggered by a change that made `SetterlessProperty.isMerging()` return true. Setterless properties are those that lack a traditional setter method; instead, Jackson accesses the field directly (via reflection) or uses a getter to obtain the collection/map and then mutates it. By routing setterless `Collection` and `Map` properties through the unguarded property-buffering path, the `visibleInView` check was entirely skipped.
Consequently, if a setterless collection or map property was annotated with a restricted `@JsonView` (e.g., @JsonView(AdminView.class)), an attacker could supply JSON data that populates this property even when the active deserialization view was something else (e.g., PublicView.class). The property would be deserialized and populated from the attacker-controlled JSON, bypassing the intended access control. This constitutes a mass-assignment or access-control bypass, allowing unauthorized writing of view-restricted fields.
The vulnerability affects Jackson-databind versions 2.21.0 through 2.21.3 and 3.0.0 through 3.1.3. It is fixed in versions 2.21.4 and 3.1.4. The issue was reported by Omkhar Arasaratnam (@omkhar). While the maintainer classified it as minor, the reporter assessed it as HIGH severity. It is assigned CWE-863 (Incorrect Authorization) and related to CWE-1220 (Insufficient Granularity of Access Control).
DailyCVE Form
Platform: Jackson-databind
Version: 2.21.0–2.21.3, 3.0.0–3.1.3
Vulnerability: @JsonView bypass
Severity: Medium (5.3)
Date: 2026-06-23
Prediction: Patch expected 2026-06-23
What Undercode Say: Analytics
The vulnerability allows an attacker to populate view-restricted setterless collection/map properties from JSON, even when the active `@JsonView` excludes them. This bypasses the intended authorization checks.
Detection Commands:
Check your Jackson-databind version mvn dependency:tree | grep jackson-databind or for Gradle gradle dependencies | grep jackson-databind Check if you are vulnerable (version ranges) Vulnerable: 2.21.0 <= version < 2.21.4 Vulnerable: 3.0.0 <= version < 3.1.4
Vulnerable Code Pattern:
public class User {
@JsonView(AdminView.class)
private List<String> adminNotes; // Setterless collection
// No setter for adminNotes; Jackson uses field access
}
// Deserialization with PublicView
ObjectMapper mapper = new ObjectMapper();
User user = mapper.readerWithView(PublicView.class)
.forType(User.class)
.readValue(json);
// Attacker JSON can still populate adminNotes
Exploit
An attacker can send crafted JSON that includes values for the setterless collection/map property, even if the property is annotated with a restricted @JsonView. Since the view check is skipped, the property is populated from the JSON, allowing unauthorized data injection.
Example Attack JSON:
{
"adminNotes": ["malicious", "data"]
}
When deserialized with a non-admin view, the `adminNotes` list is still populated, bypassing the intended restriction.
Protection
- Upgrade to Jackson-databind version 2.21.4 or later (for the 2.21.x line) or 3.1.4 or later (for the 3.x line).
- If upgrading is not immediately possible, avoid using `@JsonView` on setterless collection/map properties, or ensure that such properties are not exposed to untrusted JSON input.
- Apply input validation to sanitize or reject unexpected fields in JSON payloads.
Impact
- Access Control Bypass: View-restricted (e.g., admin-only) setterless collection/map properties can be written from untrusted JSON despite `@JsonView` gating.
- Mass Assignment: Attackers can inject data into fields that were intended to be protected, leading to potential privilege escalation or data corruption.
- No RCE or DoS: The vulnerability does not allow remote code execution or denial of service; it is strictly an authorization bypass.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
