Data-binding Vulnerability in jackson-databind by FasterXML
CVE-2026-54518

6.5MEDIUM

Key Information:

Vendor

Fasterxml

Status
Jackson-databind
Vendor
CVE Published:
23 June 2026

What is CVE-2026-54518?

The jackson-databind library, used for data-binding in JSON processing, has a flaw that allows unwrapped properties to be populated from attacker-controlled JSON without proper visibility checks. This occurs because the method UnwrappedPropertyHandler.processUnwrappedCreatorProperties() incorrectly replays buffered JSON into constructor parameters, bypassing visibility conditions defined by @JsonView. This issue affects versions 2.21.0 to 2.21.4 and 3.1.4 and poses a risk by allowing unauthorized data to be processed when a restrictive view is active. Update to versions 2.21.4 or 3.1.4 to mitigate this vulnerability.

Affected Version(s)

jackson-databind >= 2.21.0, < 2.21.4 < 2.21.0, 2.21.4

jackson-databind >= 3.0.0, < 3.1.4 < 3.0.0, 3.1.4

References

https://github.com/FasterXML/jackson-databind/security/ad...
x_refsource_CONFIRM
https://github.com/FasterXML/jackson-databind/pull/5971
x_refsource_MISC
https://github.com/FasterXML/jackson-databind/pull/5973
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.