Skip to main content

jackson-databind EUVDEUVD-2026-38589

| CVE-2026-54517 MEDIUM
Incorrect Authorization (CWE-863)
2026-06-23 security-advisories@github.com GHSA-5hh8-q8hv-fr38
5.3
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
3.7 LOW

AC:H because exploitation requires three concurrent non-default application conditions: @JsonCreator constructor, setterless collection/map with @JsonView restriction, and view used as a security boundary.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch available
Jun 23, 2026 - 22:02 EUVD
Source Code Evidence Fetched
Jun 23, 2026 - 21:36 vuln.today
Analysis Generated
Jun 23, 2026 - 21:36 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 5,171 maven packages depend on com.fasterxml.jackson.core:jackson-databind (1,703 direct, 3,524 indirect)
  • 358 maven packages depend on tools.jackson.core:jackson-databind (101 direct, 257 indirect)

Ecosystem-wide dependent count for version 2.21.0 and other introduced versions.

DescriptionCVE.org

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer._deserializeUsingPropertyBased, the active-view (@JsonView) filter was applied only to creator properties; the regular property-buffering branch performed no prop.visibleInView(activeView) check. A change making SetterlessProperty.isMerging() return true routed setterless Collection/Map properties through this unguarded path, so a setterless collection annotated with a restricted @JsonView is populated from attacker JSON even when the active view excludes it. This vulnerability is fixed in 2.21.4 and 3.1.4.

AnalysisAI

@JsonView access-control bypass in jackson-databind 2.21.0-2.21.3 and 3.0.0-3.1.3 allows remote attackers to write values into setterless Collection/Map properties that are restricted by a @JsonView annotation, defeating view-based mass-assignment protection during deserialization. The regression was introduced when SetterlessProperty.isMerging() was changed to return true, routing these properties through an unguarded buffering branch in BeanDeserializer._deserializeUsingPropertyBased that lacked the prop.visibleInView(activeView) check applied to creator properties. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Submit crafted JSON with restricted collection field to API endpoint
Delivery
Force property-buffering path via @JsonCreator deserialization trigger
Exploit
Bypass missing visibleInView check in unguarded buffering branch
Execution
Populate admin-restricted setterless collection with attacker values
Impact
Achieve unauthorized data write or privilege escalation in application object model

Vulnerability AssessmentAI

Exploitation Exploitation requires three simultaneous application-level conditions: (1) the target class uses a @JsonCreator constructor, which activates the property-based deserialization path in BeanDeserializer._deserializeUsingPropertyBased; (2) the class contains at least one setterless Collection or Map property - a field with no setter, only a getter returning a mutable collection - annotated with a @JsonView that restricts it to a more-privileged view (e.g., AdminView); and (3) the application invokes the ObjectMapper with a less-privileged active view (e.g., readerWithView(PublicView.class)) and relies on that view filter to prevent the restricted field from being written. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 3.1 rates this 5.3 Medium with AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, but the AC:L rating warrants scrutiny: exploitation requires the simultaneous presence of a @JsonCreator constructor, at least one setterless Collection/Map property, and application reliance on @JsonView for security enforcement - a specific combination that is common in layered REST APIs but not universal. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targets a REST endpoint that deserializes client-supplied JSON into a class with a @JsonCreator constructor, where a roles or permissions field is a setterless List annotated @JsonView(AdminView.class) and the endpoint operates under PublicView. By submitting JSON containing "roles":["admin"] - particularly placing it before the creator property to force the buffering path - the attacker's value is written into the roles collection despite the PublicView restriction, achieving unauthorized privilege escalation within the deserialized object. …
Remediation Upgrade jackson-databind to version 2.21.4 (for 2.21.x users) or 3.1.4 (for 3.x users); both are confirmed patched releases per GHSA advisory GHSA-5hh8-q8hv-fr38 at https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-5hh8-q8hv-fr38. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2020-11113 HIGH
8.8 Mar 31

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-35728 HIGH
8.1 Dec 27

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-9548 CRITICAL POC
9.8 Mar 02

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-9547 CRITICAL POC
9.8 Mar 02

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-36183 HIGH POC
8.1 Jan 07

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-35491 HIGH POC
8.1 Dec 17

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-35490 HIGH POC
8.1 Dec 17

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela

CVE-2022-42004 HIGH POC
7.5 Oct 02

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeseriali

CVE-2022-42003 HIGH POC
7.5 Oct 02

In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of

CVE-2019-12086 HIGH POC
7.5 May 17

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. Rated high severity (CVSS 7.5)

CVE-2020-9546 CRITICAL
9.8 Mar 02

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-11112 HIGH
8.8 Mar 31

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

Share

EUVD-2026-38589 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy