CVE-2026-54517
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
jackson-databind is the general-purpose data-binding package of the FasterXML Jackson suite. It provides full data-binding (object serialization and deserialization) on top of the Jackson streaming parser/generator (jackson-core) and the Jackson annotations (jackson-annotations), and is one of the most widely used JSON libraries for Java.
An authorization bypass vulnerability (CVE-2026-54517) has been identified in jackson-databind, which allows attackers to populate view-restricted properties from untrusted JSON when a type is deserialized with an active @JsonView. The active-view filter is enforced for properties that are constructor parameters but is not enforced for regular (setterless or merging) collection and map properties that route through the property-based-creator buffering path, so a value that the active view was meant to hide can be written during bean construction.
Per OWASP: the product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.
This issue affects jackson-databind versions from 2.9.0 up to but not including the fixed 2.18.8 and 2.21.4 releases.
Details
Module Info
- Product: jackson-databind
- Affected packages: jackson-databind
- Affected versions: >=2.9.0 <2.18.8, >=2.19.0 <2.21.4
- GitHub repository: https://github.com/FasterXML/jackson-databind
- Published packages:
- Package manager: Maven
- Fixed in:
- NES for Jackson 2.13.6, 2.14.4, and 2.15.5
- Jackson Databind 2.21.4, 3.1.4 (OSS)
Vulnerability Info
This Medium-severity vulnerability is found in the com.fasterxml.jackson.core:jackson-databind package in versions from 2.9.0 up to but not including the fixed 2.18.8 and 2.21.4 releases of jackson-databind. When a type is deserialized through a property-based creator (for example a @JsonCreator constructor or factory whose parameters carry @JsonProperty), BeanDeserializer._deserializeUsingPropertyBased walks the incoming JSON property by property and computes the active view once at the top of the method:
final Class<?> activeView = _needViewProcesing ? ctxt.getActiveView() : null;The branch that handles a creator parameter honors that view, skipping a property the active view is not allowed to see:
// creator property?
if (creatorProp != null) {
Object value;
if ((activeView != null) && !creatorProp.visibleInView(activeView)) {
p.skipChildren();
continue;
}
// ...
}
The branch that handles a regular property (one that is not a creator parameter, such as a setterless collection or map that Jackson mutates in place) performs no equivalent check before buffering the value:
// regular property? needs buffering
SettableBeanProperty prop = _beanProperties.find(propName);
if (prop != null) {
buffer.bufferProperty(prop, _deserializeWithErrorWrapping(p, ctxt, prop));
continue;
}
Because the buffering branch never consults prop.visibleInView(activeView), a view-restricted property (for example one annotated for an administrator-only view) is populated from attacker-controlled JSON even when the read is performed under a more restrictive view. The view that was intended to gate which fields a caller may set is silently bypassed for these properties, allowing an integrity-affecting mass-assignment of data the caller should not be able to write.
This vulnerability was introduced in 2016 with jackson-databind 2.9.
Mitigation
Only recent versions of jackson-databind are community-supported. The affected 2.13.x, 2.14.x, and 2.15.x lines are End-of-Life and have no publicly available fix for this issue; NES for Jackson is the remedy for those lines.
Users of the affected components should apply one of the following mitigations:
- Upgrade jackson-databind to a currently supported 2.x release that contains the fix.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.
Credits
- Omkhar Arasaratnam (finder)
