CVE-2026-54518: CWE-863: Incorrect Authorization in FasterXML jackson-databind
A medium severity authorization vulnerability exists in FasterXML jackson-databind versions prior to 2.21.4 and 3.1.4. The flaw allows attacker-controlled JSON to populate constructor parameters annotated with both @JsonView and @JsonUnwrapped, bypassing intended view-based access controls. This occurs because the unwrapped-creator replay path does not enforce visibility checks on creator properties. The issue is fixed in versions 2.21.4 and 3.1.4.
AI Analysis
Technical Summary
CVE-2026-54518 is an incorrect authorization vulnerability in jackson-databind's UnwrappedPropertyHandler.processUnwrappedCreatorProperties() method. From versions 2.21.0 until 2.21.4 and 3.1.4, this method replays buffered JSON into constructor parameters without consulting the visibility constraints imposed by @JsonView annotations. While the normal property-based creator path enforces active view restrictions, the unwrapped-creator replay path bypasses these checks, allowing attacker-controlled JSON to populate sensitive constructor parameters annotated with both @JsonView and @JsonUnwrapped. This can lead to unauthorized data binding. The vulnerability is resolved in jackson-databind versions 2.21.4 and 3.1.4.
Potential Impact
An attacker can bypass intended view-based authorization controls in jackson-databind and supply JSON data that populates constructor parameters which should be restricted. This may lead to unauthorized information disclosure or manipulation of data bound to sensitive constructor parameters. The impact is limited to confidentiality and integrity with no availability impact reported.
Mitigation Recommendations
This vulnerability is fixed in jackson-databind versions 2.21.4 and 3.1.4. Users should upgrade to at least these versions to remediate the issue. No other official remediation or temporary fixes are indicated. Patch status is confirmed by the vendor advisory stating the fix is included in these versions.
CVE-2026-54518: CWE-863: Incorrect Authorization in FasterXML jackson-databind
Description
A medium severity authorization vulnerability exists in FasterXML jackson-databind versions prior to 2.21.4 and 3.1.4. The flaw allows attacker-controlled JSON to populate constructor parameters annotated with both @JsonView and @JsonUnwrapped, bypassing intended view-based access controls. This occurs because the unwrapped-creator replay path does not enforce visibility checks on creator properties. The issue is fixed in versions 2.21.4 and 3.1.4.
CVSS v3.1
Score 6.5medium
Affected software
pkg:maven/com.fasterxml.jackson.core/jackson-databindRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-54518 is an incorrect authorization vulnerability in jackson-databind's UnwrappedPropertyHandler.processUnwrappedCreatorProperties() method. From versions 2.21.0 until 2.21.4 and 3.1.4, this method replays buffered JSON into constructor parameters without consulting the visibility constraints imposed by @JsonView annotations. While the normal property-based creator path enforces active view restrictions, the unwrapped-creator replay path bypasses these checks, allowing attacker-controlled JSON to populate sensitive constructor parameters annotated with both @JsonView and @JsonUnwrapped. This can lead to unauthorized data binding. The vulnerability is resolved in jackson-databind versions 2.21.4 and 3.1.4.
Potential Impact
An attacker can bypass intended view-based authorization controls in jackson-databind and supply JSON data that populates constructor parameters which should be restricted. This may lead to unauthorized information disclosure or manipulation of data bound to sensitive constructor parameters. The impact is limited to confidentiality and integrity with no availability impact reported.
Mitigation Recommendations
This vulnerability is fixed in jackson-databind versions 2.21.4 and 3.1.4. Users should upgrade to at least these versions to remediate the issue. No other official remediation or temporary fixes are indicated. Patch status is confirmed by the vendor advisory stating the fix is included in these versions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-15T18:40:01.650Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3b008ceed863c81eac1611
Added to database: 06/23/2026, 21:54:20 UTC
Last enriched: 06/23/2026, 22:09:08 UTC
Last updated: 06/23/2026, 22:09:08 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.