Skip to main content

jackson-databind CVE-2026-54518

| EUVDEUVD-2026-38629 MEDIUM
Incorrect Authorization (CWE-863)
2026-06-23 https://github.com/FasterXML/jackson-databind GHSA-rcqc-6cw3-h962
6.5
CVSS 3.1 · Vendor: https://github.com/FasterXML/jackson-databind
Share

Severity by source

Vendor (https://github.com/FasterXML/jackson-databind) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
5.3 MEDIUM

AV:N because attacker delivers JSON over the network; PR:N at the library layer; I:L for unauthorized writes to view-restricted fields; C:N because deserialization itself does not expose data to the attacker.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/FasterXML/jackson-databind).

CVSS VectorVendor: https://github.com/FasterXML/jackson-databind

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 23, 2026 - 21:51 vuln.today
Analysis Generated
Jun 23, 2026 - 21:51 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 5,171 maven packages depend on com.fasterxml.jackson.core:jackson-databind (1,703 direct, 3,524 indirect)
  • 358 maven packages depend on tools.jackson.core:jackson-databind (101 direct, 257 indirect)

Ecosystem-wide dependent count for version 2.21.0 and other introduced versions.

DescriptionCVE.org

Summary

UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into creator parameters but never consults prop.visibleInView(activeView). The normal property-based creator path gates creator properties on the active view, but this unwrapped-creator replay path bypasses that check, so a constructor parameter annotated with both @JsonView(AdminView.class) and @JsonUnwrapped is populated from attacker JSON even when a more restrictive view is active.

Impact

View-restricted unwrapped creator parameters can be set from untrusted input where @JsonView is used as a write-side authorization boundary.

Affected / Patched (verified via git tag --contains)

  • 2.21 line: >= 2.21.0, < 2.21.4 -> fixed in 2.21.4 (backport 721fa07, #5973)
  • 3.x line: >= 3.0.0, < 3.1.4 -> fixed in 3.1.4 (#5971, d633bc0)

Severity / CWE

Maintainer: minor. Reporter: HIGH. CWE-863 (Incorrect Authorization); related CWE-284.

Credits

Omkhar Arasaratnam (@omkhar) - finder.

AnalysisAI

Jackson-databind's @JsonView authorization boundary is bypassed for constructor parameters that combine @JsonUnwrapped and @JsonView annotations, affecting versions 2.21.0-2.21.3 and 3.0.0-3.1.3. The deserialization code path in UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into creator parameters without calling prop.visibleInView(activeView), while the standard property path correctly enforces this check. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify API endpoint deserializing JSON with restricted view active
Delivery
Send crafted JSON including admin-view-restricted field names
Exploit
UnwrappedPropertyHandler replays buffered tokens without view check
Execution
Admin-restricted @JsonUnwrapped creator parameter populated with attacker value
Impact
Unauthorized data written to privileged object field

Vulnerability AssessmentAI

Exploitation Exploitation requires all three of the following conditions simultaneously: (1) the application uses `@JsonView` as a write-side (deserialization) authorization boundary, not merely for serialization output shaping - this is a non-default, application-specific design choice; (2) a deserialized Java class has a `@JsonCreator`-annotated constructor where at least one parameter is annotated with BOTH `@JsonView` and `@JsonUnwrapped`; (3) the application deserializes attacker-controlled JSON via `ObjectMapper.readerWithView()` activating a view that is less privileged than the view annotating the vulnerable constructor parameter. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) is technically defensible at the library level but overstates real-world risk for most deployments. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a crafted HTTP POST body - for example `{"name":"alice","street":"1 Main St"}` - to a public API endpoint that deserializes the payload using `ObjectMapper.readerWithView(PublicView.class)`. Because the target class has a `@JsonCreator` constructor parameter annotated with both `@JsonView(AdminView.class)` and `@JsonUnwrapped`, the `UnwrappedPropertyHandler` replay path populates the admin-restricted `address` field from the attacker's input despite the PublicView context. …
Remediation Upgrade jackson-databind to 2.21.4 or later on the 2.21.x line, or to 3.1.4 or later on the 3.x line; these versions are confirmed fixed per git tag evidence cited in the GitHub advisory (GHSA-rcqc-6cw3-h962). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54518 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy