CVE-2026-54517
published 2026-06-23CVE-2026-54517: jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in…
PriorityP429medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.24%
14.5th percentile
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer._deserializeUsingPropertyBased, the active-view (@JsonView) filter was applied only to creator properties; the regular property-buffering branch performed no prop.visibleInView(activeView) check. A change making SetterlessProperty.isMerging() return true routed setterless Collection/Map properties through this unguarded path, so a setterless collection annotated with a restricted @JsonView is populated from attacker JSON even when the active view excludes it. This vulnerability is fixed in 2.21.4 and 3.1.4.
Affected
67 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform-27 | de-minimal-rhel9 | — | — |
| ansible-automation-platform-27 | de-supported-rhel9 | — | — |
| candlepinproject | candlepin | — | — |
| debian | dogtag-pki | — | — |
| debian | puppetserver | — | — |
| devspaces | multicluster-redirector-rhel9 | — | — |
| devspaces | openvsx-rhel9 | — | — |
| devspaces | pluginregistry-rhel9 | — | — |
| devspaces | server-rhel9 | — | — |
| eap74-els-openjdk11-openshift-rhel8 | eap74-els-openjdk11-openshift-rhel8 | — | — |
| eap74-els-openjdk17-openshift-rhel8 | eap74-els-openjdk17-openshift-rhel8 | — | — |
| eap74-els-openjdk8-openshift-rhel8 | eap74-els-openjdk8-openshift-rhel8 | — | — |
| fasterxml | jackson-databind | — | — |
| fasterxml | jackson-databind | — | — |
| fasterxml | jackson-databind | — | — |
| fasterxml | jackson-databind | >= 2.21.0 < 2.21.4 | 2.21.4 |
| fasterxml | jackson-databind | >= 3.0.0 < 3.1.4 | 3.1.4 |
| jboss-eap-7 | eap74-els-openjdk17-openshift-rhel8 | — | — |
| jboss-eap-7 | eap74-els-openjdk8-openshift-rhel8 | — | — |
| jenkins | jenkins | — | — |
| ocp-tools-4 | jenkins-rhel8 | — | — |
| ocp-tools-4 | jenkins-rhel9 | — | — |
| offline-knowledge-portal | rhokp-rhel9 | — | — |
| openshift-serverless-1 | kn-ekb-dispatcher-rhel9 | — | — |
| openshift-serverless-1 | kn-ekb-receiver-rhel9 | — | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
FasterXML jackson-databind up to 2.21.3/3.1.3 SetterlessProperty.isMerging authorization (GHSA-5hh8-q8hv-fr38 / EUVD-2026-38589)
vuldb·2026-06-24·CVSS 5.3
CVE-2026-54517 [MEDIUM] FasterXML jackson-databind up to 2.21.3/3.1.3 SetterlessProperty.isMerging authorization (GHSA-5hh8-q8hv-fr38 / EUVD-2026-38589)
A vulnerability, which was classified as problematic, has been found in FasterXML jackson-databind up to 2.21.3/3.1.3. This vulnerability affects the function SetterlessProperty.isMerging. Performing a manipulation results in incorrect authorization.
This vulnerability is identified as CVE-2026-54517. The attack can be initiated remotely. There is not any exploit available.
It is advisable to upgrade the affected component.
GHSA
jackson-databind has @JsonView bypass for setterless creator properties
ghsa·2026-06-23
CVE-2026-54517 [MEDIUM] CWE-863 jackson-databind has @JsonView bypass for setterless creator properties
jackson-databind has @JsonView bypass for setterless creator properties
## Summary
In `BeanDeserializer._deserializeUsingPropertyBased`, the active-view (`@JsonView`) filter was applied only to creator properties; the regular property-buffering branch performed no `prop.visibleInView(activeView)` check. A change making `SetterlessProperty.isMerging()` return `true` routed setterless Collection/Map properties through this unguarded path, so a setterless collection annotated with a restricted `@JsonView` is populated from attacker JSON even when the active view excludes it.
## Impact
View-restricted (e.g. admin-only) setterless collection/map properties can be written from untrusted JSON despite `@JsonView` gating — an access-control / mass-assignment bypass. No RCE or DoS.
## Affected /
Red Hat
jackson-databind: jackson-databind: Information disclosure via improper JsonView filter application
vendor_redhat·2026-06-23·CVSS 5.3
CVE-2026-54517 [MEDIUM] CWE-1220 jackson-databind: jackson-databind: Information disclosure via improper JsonView filter application
jackson-databind: jackson-databind: Information disclosure via improper JsonView filter application
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer._deserializeUsingPropertyBased, the active-view (@JsonView) filter was applied only to creator properties; the regular property-buffering branch performed no prop.visibleInView(activeView) check. A change making SetterlessProperty.isMerging() return true routed setterless Collection/Map properties through this unguarded path, so a setterless collection annotated with a restricted @JsonView is populated from attacker JSON even when the active view excludes it. This vulnerability is fixed in 2.21.4 and 3.1.4.
A flaw was fo
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-54517 resteasy: jackson-databind: Information disclosure via improper JsonView filter application [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54517 [MEDIUM] CVE-2026-54517 resteasy: jackson-databind: Information disclosure via improper JsonView filter application [fedora-all]
CVE-2026-54517 resteasy: jackson-databind: Information disclosure via improper JsonView filter application [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer._deserializeUsingPropertyBased, the active-view (@JsonView) filter was applied only to creator properties; the regular property-buffering branch performed no prop.visibleInView(activeView) check. A change making SetterlessProperty.isMerging() return true routed setterless Collectio
Bugzilla
CVE-2026-54517 byte-buddy: jackson-databind: Information disclosure via improper JsonView filter application [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54517 [MEDIUM] CVE-2026-54517 byte-buddy: jackson-databind: Information disclosure via improper JsonView filter application [fedora-all]
CVE-2026-54517 byte-buddy: jackson-databind: Information disclosure via improper JsonView filter application [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer._deserializeUsingPropertyBased, the active-view (@JsonView) filter was applied only to creator properties; the regular property-buffering branch performed no prop.visibleInView(activeView) check. A change making SetterlessProperty.isMerging() return true routed setterless Collect
Bugzilla
CVE-2026-54517 ceph: jackson-databind: Information disclosure via improper JsonView filter application [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54517 [MEDIUM] CVE-2026-54517 ceph: jackson-databind: Information disclosure via improper JsonView filter application [fedora-all]
CVE-2026-54517 ceph: jackson-databind: Information disclosure via improper JsonView filter application [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer._deserializeUsingPropertyBased, the active-view (@JsonView) filter was applied only to creator properties; the regular property-buffering branch performed no prop.visibleInView(activeView) check. A change making SetterlessProperty.isMerging() return true routed setterless Collection/Ma
Bugzilla
CVE-2026-54517 jackson-bom: jackson-databind: Information disclosure via improper JsonView filter application [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54517 [MEDIUM] CVE-2026-54517 jackson-bom: jackson-databind: Information disclosure via improper JsonView filter application [fedora-all]
CVE-2026-54517 jackson-bom: jackson-databind: Information disclosure via improper JsonView filter application [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer._deserializeUsingPropertyBased, the active-view (@JsonView) filter was applied only to creator properties; the regular property-buffering branch performed no prop.visibleInView(activeView) check. A change making SetterlessProperty.isMerging() return true routed setterless Collec
Bugzilla
CVE-2026-54517 jetty: jackson-databind: Information disclosure via improper JsonView filter application [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54517 [MEDIUM] CVE-2026-54517 jetty: jackson-databind: Information disclosure via improper JsonView filter application [fedora-all]
CVE-2026-54517 jetty: jackson-databind: Information disclosure via improper JsonView filter application [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer._deserializeUsingPropertyBased, the active-view (@JsonView) filter was applied only to creator properties; the regular property-buffering branch performed no prop.visibleInView(activeView) check. A change making SetterlessProperty.isMerging() return true routed setterless Collection/M
Bugzilla
CVE-2026-54517 jackson-modules-base: jackson-databind: Information disclosure via improper JsonView filter application [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54517 [MEDIUM] CVE-2026-54517 jackson-modules-base: jackson-databind: Information disclosure via improper JsonView filter application [fedora-all]
CVE-2026-54517 jackson-modules-base: jackson-databind: Information disclosure via improper JsonView filter application [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer._deserializeUsingPropertyBased, the active-view (@JsonView) filter was applied only to creator properties; the regular property-buffering branch performed no prop.visibleInView(activeView) check. A change making SetterlessProperty.isMerging() return true routed setterle
Bugzilla
CVE-2026-54517 jackson-jaxrs-providers: jackson-databind: Information disclosure via improper JsonView filter application [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54517 [MEDIUM] CVE-2026-54517 jackson-jaxrs-providers: jackson-databind: Information disclosure via improper JsonView filter application [fedora-all]
CVE-2026-54517 jackson-jaxrs-providers: jackson-databind: Information disclosure via improper JsonView filter application [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer._deserializeUsingPropertyBased, the active-view (@JsonView) filter was applied only to creator properties; the regular property-buffering branch performed no prop.visibleInView(activeView) check. A change making SetterlessProperty.isMerging() return true routed sette
Bugzilla
CVE-2026-54517 log4j: jackson-databind: Information disclosure via improper JsonView filter application [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54517 [MEDIUM] CVE-2026-54517 log4j: jackson-databind: Information disclosure via improper JsonView filter application [fedora-all]
CVE-2026-54517 log4j: jackson-databind: Information disclosure via improper JsonView filter application [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer._deserializeUsingPropertyBased, the active-view (@JsonView) filter was applied only to creator properties; the regular property-buffering branch performed no prop.visibleInView(activeView) check. A change making SetterlessProperty.isMerging() return true routed setterless Collection/M
Bugzilla
CVE-2026-54517 python-avro: jackson-databind: Information disclosure via improper JsonView filter application [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54517 [MEDIUM] CVE-2026-54517 python-avro: jackson-databind: Information disclosure via improper JsonView filter application [fedora-all]
CVE-2026-54517 python-avro: jackson-databind: Information disclosure via improper JsonView filter application [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer._deserializeUsingPropertyBased, the active-view (@JsonView) filter was applied only to creator properties; the regular property-buffering branch performed no prop.visibleInView(activeView) check. A change making SetterlessProperty.isMerging() return true routed setterless Collec
Bugzilla
CVE-2026-54517 dogtag-pki: jackson-databind: Information disclosure via improper JsonView filter application [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54517 [MEDIUM] CVE-2026-54517 dogtag-pki: jackson-databind: Information disclosure via improper JsonView filter application [fedora-all]
CVE-2026-54517 dogtag-pki: jackson-databind: Information disclosure via improper JsonView filter application [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer._deserializeUsingPropertyBased, the active-view (@JsonView) filter was applied only to creator properties; the regular property-buffering branch performed no prop.visibleInView(activeView) check. A change making SetterlessProperty.isMerging() return true routed setterless Collect
Bugzilla
CVE-2026-54517 google-gson: jackson-databind: Information disclosure via improper JsonView filter application [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54517 [MEDIUM] CVE-2026-54517 google-gson: jackson-databind: Information disclosure via improper JsonView filter application [fedora-all]
CVE-2026-54517 google-gson: jackson-databind: Information disclosure via improper JsonView filter application [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer._deserializeUsingPropertyBased, the active-view (@JsonView) filter was applied only to creator properties; the regular property-buffering branch performed no prop.visibleInView(activeView) check. A change making SetterlessProperty.isMerging() return true routed setterless Collec
Bugzilla
CVE-2026-54517 jackson-databind: jackson-databind: Information disclosure via improper JsonView filter application
bugzilla·2026-06-23·CVSS 5.3
CVE-2026-54517 [MEDIUM] CVE-2026-54517 jackson-databind: jackson-databind: Information disclosure via improper JsonView filter application
CVE-2026-54517 jackson-databind: jackson-databind: Information disclosure via improper JsonView filter application
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer._deserializeUsingPropertyBased, the active-view (@JsonView) filter was applied only to creator properties; the regular property-buffering branch performed no prop.visibleInView(activeView) check. A change making SetterlessProperty.isMerging() return true routed setterless Collection/Map properties through this unguarded path, so a setterless collection annotated with a restricted @JsonView is populated from attacker JSON even when the active view excludes it. This vulnerability is fixed in 2.21.4 and 3.1.4.
https://github.com/FasterXML/jackson-databind/commit/5bf23edb4221f7dd2ec8e71ff6d26c61640f261dhttps://github.com/FasterXML/jackson-databind/commit/94c5d215b3af1505098c686405d9641f041a9962https://github.com/FasterXML/jackson-databind/pull/5969https://github.com/FasterXML/jackson-databind/pull/5970https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-5hh8-q8hv-fr38
2026-06-23
Published