CVE-2026-54518: 
Java Analisi e mitigazione delle vulnerabilità

CVE-2026-54518 is a @JsonView authorization bypass vulnerability in FasterXML's jackson-databind library, allowing unauthenticated remote attackers to populate view-restricted constructor parameters from untrusted JSON input. The flaw affects com.fasterxml.jackson.core:jackson-databind versions >= 2.21.0 and < 2.21.4, and tools.jackson.core:jackson-databind versions >= 3.0.0 and < 3.1.4. It was discovered by Omkhar Arasaratnam and publicly disclosed via GitHub Security Advisory on June 23, 2026. The vulnerability carries a CVSS v3.1 base score of 6.5 (Medium) (GitHub Advisory).

The root cause is an incorrect authorization check (CWE-863) in UnwrappedPropertyHandler.processUnwrappedCreatorProperties(). This method replays buffered JSON tokens into constructor (creator) parameters but never calls prop.visibleInView(activeView) to verify whether each property is permitted under the currently active @JsonView. The normal property-based deserialization path correctly gates creator properties on the active view, but the unwrapped-creator replay path skips this check entirely. As a result, a constructor parameter annotated with both @JsonView(AdminView.class) and @JsonUnwrapped is populated from attacker-supplied JSON even when a less-privileged view (e.g., PublicView) is active. The fix, applied in commits 721fa07 (2.21 branch) and d633bc0 (3.x branch), adds a visibleInView check at the top of the loop iterating over _creatorProperties (GitHub Advisory, Fix PR #5971).

Successful exploitation allows an unauthenticated network attacker to set view-restricted (e.g., admin-only) constructor parameters on deserialized objects, bypassing the application's write-side authorization boundary enforced by @JsonView. This can lead to unauthorized modification of sensitive object state (integrity impact) and potential exposure of data that should be inaccessible to lower-privileged users (confidentiality impact). Availability is not directly affected. The practical severity depends on how the application uses @JsonView as an access-control mechanism; applications relying on it to prevent unprivileged users from setting privileged fields are most at risk (GitHub Advisory).

1. Identify a vulnerable target: Locate a Java application using jackson-databind 2.21.0–2.21.3 or 3.0.0–3.1.3 that deserializes JSON with an active @JsonView and has a @JsonCreator constructor containing a parameter annotated with both @JsonView(AdminView.class) and @JsonUnwrapped.
2. Craft a malicious JSON payload: Construct a JSON object that includes fields corresponding to the admin-restricted @JsonUnwrapped parameter (e.g., {"name":"alice","street":"attacker-controlled","city":"Springfield"}).
3. Submit the payload under a restricted view context: Send the crafted JSON to the application endpoint that deserializes using a less-privileged view (e.g., PublicView). The application would typically restrict admin fields in this context.
4. Bypass view enforcement: Due to the missing visibleInView check in processUnwrappedCreatorProperties(), the admin-restricted constructor parameter is populated from the attacker's JSON despite the active PublicView, effectively setting privileged object state without authorization (GitHub Advisory, Fix PR #5971).

Upgrade to the patched versions of jackson-databind: 2.21.4 (for the 2.x line) or 3.1.4 (for the 3.x line). A backport to 2.18.8 was also released for users on the 2.18 branch. No configuration-based workaround is available; the only remediation is upgrading to a fixed version. Applications that do not use @JsonView as a write-side security boundary are not functionally impacted, but upgrading is still recommended (GitHub Advisory, Fix PR #5971, Backport PR #5973).

The vulnerability was rated "minor" by the jackson-databind maintainer (cowtowncoder) but "HIGH" by the reporter (Omkhar Arasaratnam), reflecting differing assessments of the real-world impact depending on how @JsonView is used as a security control. The Apache Spark project promptly opened a PR to upgrade to jackson-databind 2.21.4 in response to this and related fixes (Fix PR #5971). Social media activity was limited to automated CVE tracking accounts on Bluesky shortly after disclosure.