CVE-2026-54518
published 2026-06-23CVE-2026-54518: jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4…
PriorityP338medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
EPSS
0.21%
11.3th percentile
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into creator parameters but never consults prop.visibleInView(activeView). The normal property-based creator path gates creator properties on the active view, but this unwrapped-creator replay path bypasses that check, so a constructor parameter annotated with both @JsonView(AdminView.class) and @JsonUnwrapped is populated from attacker JSON even when a more restrictive view is active. This vulnerability is fixed in 2.21.4 and 3.1.4.
Affected
67 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform-27 | de-minimal-rhel9 | — | — |
| ansible-automation-platform-27 | de-supported-rhel9 | — | — |
| candlepinproject | candlepin | — | — |
| debian | dogtag-pki | — | — |
| debian | puppetserver | — | — |
| devspaces | multicluster-redirector-rhel9 | — | — |
| devspaces | openvsx-rhel9 | — | — |
| devspaces | pluginregistry-rhel9 | — | — |
| devspaces | server-rhel9 | — | — |
| eap74-els-openjdk11-openshift-rhel8 | eap74-els-openjdk11-openshift-rhel8 | — | — |
| eap74-els-openjdk17-openshift-rhel8 | eap74-els-openjdk17-openshift-rhel8 | — | — |
| eap74-els-openjdk8-openshift-rhel8 | eap74-els-openjdk8-openshift-rhel8 | — | — |
| fasterxml | jackson-databind | — | — |
| fasterxml | jackson-databind | — | — |
| fasterxml | jackson-databind | — | — |
| fasterxml | jackson-databind | >= 2.21.0 < 2.21.4 | 2.21.4 |
| fasterxml | jackson-databind | >= 3.0.0 < 3.1.4 | 3.1.4 |
| jboss-eap-7 | eap74-els-openjdk17-openshift-rhel8 | — | — |
| jboss-eap-7 | eap74-els-openjdk8-openshift-rhel8 | — | — |
| jenkins | jenkins | — | — |
| ocp-tools-4 | jenkins-rhel8 | — | — |
| ocp-tools-4 | jenkins-rhel9 | — | — |
| offline-knowledge-portal | rhokp-rhel9 | — | — |
| openshift-serverless-1 | kn-ekb-dispatcher-rhel9 | — | — |
| openshift-serverless-1 | kn-ekb-receiver-rhel9 | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
FasterXML jackson-databind up to 2.21.3/3.1.3 authorization (EUVD-2026-38629)
vuldb·2026-06-24·CVSS 6.5
CVE-2026-54518 [MEDIUM] FasterXML jackson-databind up to 2.21.3/3.1.3 authorization (EUVD-2026-38629)
A vulnerability was found in FasterXML jackson-databind up to 2.21.3/3.1.3. It has been declared as critical. Impacted is the function UnwrappedPropertyHandler.processUnwrappedCreatorProperties. The manipulation results in incorrect authorization.
This vulnerability is reported as CVE-2026-54518. The attack can be launched remotely. No exploit exists.
It is recommended to upgrade the affected component.
GHSA
jackson-databind has a @JsonView bypass for unwrapped creator parameters
ghsa·2026-06-23
CVE-2026-54518 [MEDIUM] CWE-863 jackson-databind has a @JsonView bypass for unwrapped creator parameters
jackson-databind has a @JsonView bypass for unwrapped creator parameters
## Summary
`UnwrappedPropertyHandler.processUnwrappedCreatorProperties()` replays buffered JSON into creator parameters but never consults `prop.visibleInView(activeView)`. The normal property-based creator path gates creator properties on the active view, but this unwrapped-creator replay path bypasses that check, so a constructor parameter annotated with both `@JsonView(AdminView.class)` and `@JsonUnwrapped` is populated from attacker JSON even when a more restrictive view is active.
## Impact
View-restricted unwrapped creator parameters can be set from untrusted input where `@JsonView` is used as a write-side authorization boundary.
## Affected / Patched (verified via `git tag --contains`)
- 2.21 line: `>= 2.21.
Red Hat
jackson-databind: jackson-databind: Information disclosure and data manipulation via view-based access control bypass
vendor_redhat·2026-06-23·CVSS 6.5
CVE-2026-54518 [MEDIUM] CWE-639 jackson-databind: jackson-databind: Information disclosure and data manipulation via view-based access control bypass
jackson-databind: jackson-databind: Information disclosure and data manipulation via view-based access control bypass
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into creator parameters but never consults prop.visibleInView(activeView). The normal property-based creator path gates creator properties on the active view, but this unwrapped-creator replay path bypasses that check, so a constructor parameter annotated with both @JsonView(AdminView.class) and @JsonUnwrapped is populated from attacker JSON even when a more restrictive view is active. This vulnerability is fixed in 2.21.4 and 3.1.4.
A flaw
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-54518 byte-buddy: jackson-databind: Information disclosure and data manipulation via view-based access control bypass [fedora-all]
bugzilla·2026-06-30·CVSS 6.5
CVE-2026-54518 [MEDIUM] CVE-2026-54518 byte-buddy: jackson-databind: Information disclosure and data manipulation via view-based access control bypass [fedora-all]
CVE-2026-54518 byte-buddy: jackson-databind: Information disclosure and data manipulation via view-based access control bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into creator parameters but never consults prop.visibleInView(activeView). The normal property-based creator path gates creator properties on the active view, but this unwrapped-creator replay path b
Bugzilla
CVE-2026-54518 log4j: jackson-databind: Information disclosure and data manipulation via view-based access control bypass [fedora-all]
bugzilla·2026-06-30·CVSS 6.5
CVE-2026-54518 [MEDIUM] CVE-2026-54518 log4j: jackson-databind: Information disclosure and data manipulation via view-based access control bypass [fedora-all]
CVE-2026-54518 log4j: jackson-databind: Information disclosure and data manipulation via view-based access control bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into creator parameters but never consults prop.visibleInView(activeView). The normal property-based creator path gates creator properties on the active view, but this unwrapped-creator replay path bypass
Bugzilla
CVE-2026-54518 ceph: jackson-databind: Information disclosure and data manipulation via view-based access control bypass [fedora-all]
bugzilla·2026-06-30·CVSS 6.5
CVE-2026-54518 [MEDIUM] CVE-2026-54518 ceph: jackson-databind: Information disclosure and data manipulation via view-based access control bypass [fedora-all]
CVE-2026-54518 ceph: jackson-databind: Information disclosure and data manipulation via view-based access control bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into creator parameters but never consults prop.visibleInView(activeView). The normal property-based creator path gates creator properties on the active view, but this unwrapped-creator replay path bypasse
Bugzilla
CVE-2026-54518 python-avro: jackson-databind: Information disclosure and data manipulation via view-based access control bypass [fedora-all]
bugzilla·2026-06-30·CVSS 6.5
CVE-2026-54518 [MEDIUM] CVE-2026-54518 python-avro: jackson-databind: Information disclosure and data manipulation via view-based access control bypass [fedora-all]
CVE-2026-54518 python-avro: jackson-databind: Information disclosure and data manipulation via view-based access control bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into creator parameters but never consults prop.visibleInView(activeView). The normal property-based creator path gates creator properties on the active view, but this unwrapped-creator replay path
Bugzilla
CVE-2026-54518 dogtag-pki: jackson-databind: Information disclosure and data manipulation via view-based access control bypass [fedora-all]
bugzilla·2026-06-30·CVSS 6.5
CVE-2026-54518 [MEDIUM] CVE-2026-54518 dogtag-pki: jackson-databind: Information disclosure and data manipulation via view-based access control bypass [fedora-all]
CVE-2026-54518 dogtag-pki: jackson-databind: Information disclosure and data manipulation via view-based access control bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into creator parameters but never consults prop.visibleInView(activeView). The normal property-based creator path gates creator properties on the active view, but this unwrapped-creator replay path b
Bugzilla
CVE-2026-54518 jackson-jaxrs-providers: jackson-databind: Information disclosure and data manipulation via view-based access control bypass [fedora-all]
bugzilla·2026-06-30·CVSS 6.5
CVE-2026-54518 [MEDIUM] CVE-2026-54518 jackson-jaxrs-providers: jackson-databind: Information disclosure and data manipulation via view-based access control bypass [fedora-all]
CVE-2026-54518 jackson-jaxrs-providers: jackson-databind: Information disclosure and data manipulation via view-based access control bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into creator parameters but never consults prop.visibleInView(activeView). The normal property-based creator path gates creator properties on the active view, but this unwrapped-creator
Bugzilla
CVE-2026-54518 google-gson: jackson-databind: Information disclosure and data manipulation via view-based access control bypass [fedora-all]
bugzilla·2026-06-30·CVSS 6.5
CVE-2026-54518 [MEDIUM] CVE-2026-54518 google-gson: jackson-databind: Information disclosure and data manipulation via view-based access control bypass [fedora-all]
CVE-2026-54518 google-gson: jackson-databind: Information disclosure and data manipulation via view-based access control bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into creator parameters but never consults prop.visibleInView(activeView). The normal property-based creator path gates creator properties on the active view, but this unwrapped-creator replay path
Bugzilla
CVE-2026-54518 jackson-bom: jackson-databind: Information disclosure and data manipulation via view-based access control bypass [fedora-all]
bugzilla·2026-06-30·CVSS 6.5
CVE-2026-54518 [MEDIUM] CVE-2026-54518 jackson-bom: jackson-databind: Information disclosure and data manipulation via view-based access control bypass [fedora-all]
CVE-2026-54518 jackson-bom: jackson-databind: Information disclosure and data manipulation via view-based access control bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into creator parameters but never consults prop.visibleInView(activeView). The normal property-based creator path gates creator properties on the active view, but this unwrapped-creator replay path
Bugzilla
CVE-2026-54518 resteasy: jackson-databind: Information disclosure and data manipulation via view-based access control bypass [fedora-all]
bugzilla·2026-06-30·CVSS 6.5
CVE-2026-54518 [MEDIUM] CVE-2026-54518 resteasy: jackson-databind: Information disclosure and data manipulation via view-based access control bypass [fedora-all]
CVE-2026-54518 resteasy: jackson-databind: Information disclosure and data manipulation via view-based access control bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into creator parameters but never consults prop.visibleInView(activeView). The normal property-based creator path gates creator properties on the active view, but this unwrapped-creator replay path byp
Bugzilla
CVE-2026-54518 jackson-modules-base: jackson-databind: Information disclosure and data manipulation via view-based access control bypass [fedora-all]
bugzilla·2026-06-30·CVSS 6.5
CVE-2026-54518 [MEDIUM] CVE-2026-54518 jackson-modules-base: jackson-databind: Information disclosure and data manipulation via view-based access control bypass [fedora-all]
CVE-2026-54518 jackson-modules-base: jackson-databind: Information disclosure and data manipulation via view-based access control bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into creator parameters but never consults prop.visibleInView(activeView). The normal property-based creator path gates creator properties on the active view, but this unwrapped-creator rep
Bugzilla
CVE-2026-54518 jetty: jackson-databind: Information disclosure and data manipulation via view-based access control bypass [fedora-all]
bugzilla·2026-06-30·CVSS 6.5
CVE-2026-54518 [MEDIUM] CVE-2026-54518 jetty: jackson-databind: Information disclosure and data manipulation via view-based access control bypass [fedora-all]
CVE-2026-54518 jetty: jackson-databind: Information disclosure and data manipulation via view-based access control bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into creator parameters but never consults prop.visibleInView(activeView). The normal property-based creator path gates creator properties on the active view, but this unwrapped-creator replay path bypass
Bugzilla
CVE-2026-54518 jackson-databind: jackson-databind: Information disclosure and data manipulation via view-based access control bypass
bugzilla·2026-06-23·CVSS 6.5
CVE-2026-54518 [MEDIUM] CVE-2026-54518 jackson-databind: jackson-databind: Information disclosure and data manipulation via view-based access control bypass
CVE-2026-54518 jackson-databind: jackson-databind: Information disclosure and data manipulation via view-based access control bypass
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into creator parameters but never consults prop.visibleInView(activeView). The normal property-based creator path gates creator properties on the active view, but this unwrapped-creator replay path bypasses that check, so a constructor parameter annotated with both @JsonView(AdminView.class) and @JsonUnwrapped is populated from attacker JSON even when a more restrictive view is active. This vulnerability is fixed in 2.21.4 and
https://github.com/FasterXML/jackson-databind/commit/721fa07ebbd4aab4a659a1a68940878315c3e341https://github.com/FasterXML/jackson-databind/commit/d633bc038f200c1397c07f1a2b46f58e72c91eeahttps://github.com/FasterXML/jackson-databind/pull/5971https://github.com/FasterXML/jackson-databind/pull/5973https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-rcqc-6cw3-h962
2026-06-23
Published