CVE-2026-54517: 
Java Analisi e mitigazione delle vulnerabilità

CVE-2026-54517 is an incorrect authorization vulnerability in FasterXML jackson-databind that allows unauthenticated network attackers to bypass @JsonView access controls on setterless Collection/Map properties. The flaw affects versions 2.21.0 through 2.21.3 and 3.0.0 through 3.1.3 of jackson-databind. It was discovered by Omkhar Arasaratnam (@omkhar), with the fix merged on May 6–7, 2026 and the advisory published on June 23, 2026. It carries a CVSS v3.1 base score of 5.3 (Medium) (GitHub Advisory).

The root cause (CWE-863: Incorrect Authorization) lies in BeanDeserializer._deserializeUsingPropertyBased(), where the active-view (@JsonView) filter was applied only to creator properties but not to the regular property-buffering branch. A prior change caused SetterlessProperty.isMerging() to return true, routing setterless Collection/Map properties through this unguarded code path. As a result, when a JSON payload is deserialized under a restricted view (e.g., PublicView), setterless properties annotated with a more privileged view (e.g., @JsonView(AdminView.class)) are still populated from attacker-controlled JSON because the prop.visibleInView(activeView) check is never performed. The fix adds an explicit view check in the buffering branch, skipping properties not visible in the active view (GitHub Advisory, Fix Commit 3.x, Fix Commit 2.x).

Successful exploitation allows an unauthenticated remote attacker to write data into view-restricted (e.g., admin-only) setterless Collection or Map properties by sending crafted JSON, effectively bypassing intended access-control and mass-assignment protections. There is no risk of remote code execution or denial of service; the impact is limited to integrity — specifically, unauthorized modification of restricted data fields. Applications that rely solely on @JsonView annotations to gate sensitive properties (such as role lists or privilege sets) are most at risk, as those properties can be silently populated from untrusted input (GitHub Advisory).

1. Reconnaissance: Identify applications using jackson-databind versions 2.21.0–2.21.3 or 3.0.0–3.1.3 that expose JSON deserialization endpoints (e.g., REST APIs accepting Content-Type: application/json).
2. Identify target model: Determine if the target application uses @JsonCreator-annotated constructors alongside setterless Collection/Map properties (no setter method) that are restricted by @JsonView annotations (e.g., @JsonView(AdminView.class)).
3. Craft malicious payload: Construct a JSON payload that includes the restricted property (e.g., "roles") alongside the required creator property (e.g., "name"). Placing the restricted property before the creator property forces the buffering code path: {"roles":["admin"],"name":"alice"}.
4. Submit under restricted view: Send the crafted JSON to the target endpoint while the application is operating under a non-privileged view (e.g., PublicView). The missing visibleInView check causes the restricted roles collection to be populated despite the active view excluding it.
5. Verify bypass: Confirm that the restricted property was written by observing application behavior (e.g., elevated privileges, modified role assignments) that should not be possible under the active view (GitHub Advisory, Fix PR #5969).

• Network: Unexpected JSON payloads to REST API endpoints containing fields that should be restricted by view (e.g., roles, permissions, adminFields) submitted by unauthenticated or low-privilege clients.
• Logs: Application logs showing deserialization of view-restricted properties (e.g., admin-only collection fields) being populated during requests authenticated under a lower-privilege view; anomalous privilege escalation events following JSON deserialization.
• Application Behavior: Unexpected population of admin-only or restricted Collection/Map fields (e.g., role lists, permission sets) in objects deserialized from untrusted JSON input, detectable via application-level audit logging of object state post-deserialization.

Upgrade jackson-databind to version 2.21.4 (for the 2.x line) or 3.1.4 (for the 3.x line), which include the fix for this vulnerability. A backport to version 2.18.8 was also released. As a workaround where immediate upgrade is not possible, avoid relying on @JsonView as the sole access-control mechanism for sensitive setterless Collection/Map properties — implement additional server-side validation or use explicit setter methods with proper authorization checks. Apache Spark users should note that upgrading to Jackson 2.21.4 is tracked under SPARK-57273 (GitHub Advisory, Fix PR #5969).

The vulnerability was rated "Moderate" by the maintainer (FasterXML) but "HIGH" by the reporter, reflecting differing assessments of real-world impact. HeroDevs published a vulnerability directory entry for CVE-2026-54517 shortly after disclosure. No significant broader media coverage or notable community debate has been observed beyond standard CVE tracking and aggregator sites.