CVE-2026-54517
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk15th percentile - higher than 15% of all known CVEs
Summary
In jackson-databind versions 2.21.0 to 2.21.4 and 3.1.4, the @JsonView filter is not applied to setterless Collection/Map properties, allowing attacker-supplied JSON to be processed even when the active view should exclude it.
Risk Assessment
The risk involves unauthorized data access or modification when an application uses @JsonView annotations to restrict field visibility. An attacker can bypass these restrictions and inject data into objects that should be protected.
Recommendation
Update jackson-databind to version 2.21.4 or 3.1.4 immediately. If an update is not possible, consider temporarily disabling merging for setterless Collection/Map properties.
Original NVD description (English source)
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer._deserializeUsingPropertyBased, the active-view (@JsonView) filter was applied only to creator properties; the regular property-buffering branch performed no prop.visibleInView(activeView) check. A change making SetterlessProperty.isMerging() return true routed setterless Collection/Map properties through this unguarded path, so a setterless collection annotated with a restricted @JsonView is populated from attacker JSON even when the active view excludes it. This vulnerability is fixed in 2.21.4 and 3.1.4.

