CVE-2026-54517: CWE-863: Incorrect Authorization in FasterXML jackson-databind
A medium severity authorization vulnerability (CWE-863) exists in FasterXML jackson-databind versions from 2.21.0 up to but not including 2.21.4 and 3.1.4. The issue involves incorrect application of the @JsonView filter during deserialization, allowing attacker-controlled JSON to populate setterless Collection/Map properties annotated with restricted views, bypassing intended view-based access controls. This flaw is fixed in versions 2.21.4 and 3.1.4.
AI Analysis
Technical Summary
The vulnerability in jackson-databind affects the BeanDeserializer._deserializeUsingPropertyBased method where the active-view (@JsonView) filter was only applied to creator properties, but not to the regular property-buffering branch. A change causing SetterlessProperty.isMerging() to return true routed setterless Collection/Map properties through an unguarded deserialization path. Consequently, a setterless collection annotated with a restricted @JsonView could be populated from attacker-controlled JSON even when the active view excludes it. This improper authorization allows unauthorized modification of certain properties during JSON deserialization. The issue is resolved in versions 2.21.4 and 3.1.4.
Potential Impact
This vulnerability allows an attacker to bypass @JsonView-based access controls during JSON deserialization, potentially leading to unauthorized modification of setterless Collection or Map properties. The impact is limited to integrity (I:L) with no confidentiality or availability impact. The CVSS score is 5.3 (medium severity), indicating a moderate risk where an attacker can influence application state without requiring privileges or user interaction.
Mitigation Recommendations
A fix is available in jackson-databind versions 2.21.4 and 3.1.4. Users should upgrade to at least these versions to remediate the vulnerability. No vendor advisory is provided to indicate alternative mitigations or temporary workarounds. Patch status is confirmed by the description stating the issue is fixed in these versions.
CVE-2026-54517: CWE-863: Incorrect Authorization in FasterXML jackson-databind
Description
A medium severity authorization vulnerability (CWE-863) exists in FasterXML jackson-databind versions from 2.21.0 up to but not including 2.21.4 and 3.1.4. The issue involves incorrect application of the @JsonView filter during deserialization, allowing attacker-controlled JSON to populate setterless Collection/Map properties annotated with restricted views, bypassing intended view-based access controls. This flaw is fixed in versions 2.21.4 and 3.1.4.
CVSS v3.1
Score 5.3medium
Affected software
pkg:maven/com.fasterxml.jackson.core/jackson-databindRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in jackson-databind affects the BeanDeserializer._deserializeUsingPropertyBased method where the active-view (@JsonView) filter was only applied to creator properties, but not to the regular property-buffering branch. A change causing SetterlessProperty.isMerging() to return true routed setterless Collection/Map properties through an unguarded deserialization path. Consequently, a setterless collection annotated with a restricted @JsonView could be populated from attacker-controlled JSON even when the active view excludes it. This improper authorization allows unauthorized modification of certain properties during JSON deserialization. The issue is resolved in versions 2.21.4 and 3.1.4.
Potential Impact
This vulnerability allows an attacker to bypass @JsonView-based access controls during JSON deserialization, potentially leading to unauthorized modification of setterless Collection or Map properties. The impact is limited to integrity (I:L) with no confidentiality or availability impact. The CVSS score is 5.3 (medium severity), indicating a moderate risk where an attacker can influence application state without requiring privileges or user interaction.
Mitigation Recommendations
A fix is available in jackson-databind versions 2.21.4 and 3.1.4. Users should upgrade to at least these versions to remediate the vulnerability. No vendor advisory is provided to indicate alternative mitigations or temporary workarounds. Patch status is confirmed by the description stating the issue is fixed in these versions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-15T18:40:01.650Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3af602eed863c81e9ec647
Added to database: 06/23/2026, 21:09:22 UTC
Last enriched: 06/23/2026, 21:24:28 UTC
Last updated: 06/23/2026, 22:00:39 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.