CVE-2026-54518

Name of the Vulnerable Software and Affected Versions jackson-databind versions 2.21.0 through 2.21.3 jackson-databind versions 3.0.0 through 3.1.3

Description The UnwrappedPropertyHandler.processUnwrappedCreatorProperties() function replays buffered JSON into creator parameters without consulting prop.visibleInView(activeView). While the standard property-based creator path restricts creator properties based on the active view, this specific unwrapped-creator replay path bypasses that check. Consequently, a constructor parameter annotated with both @JsonView(AdminView.class) and @JsonUnwrapped can be populated from untrusted JSON input even when a more restrictive view is active, potentially bypassing write-side authorization boundaries.

Recommendations Update to version 2.21.4 for the 2.21 line. Update to version 3.1.4 for the 3.x line.