jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer._deserializeUsingPropertyBased, the active-view (@JsonView) filter was applied only to creator properties; the regular property-buffering branch performed no prop.visibleInView(activeView) check. A change making SetterlessProperty.isMerging() return true routed setterless Collection/Map properties through this unguarded path, so a setterless collection annotated with a restricted @JsonView is populated from attacker JSON even when the active view excludes it. This vulnerability is fixed in 2.21.4 and 3.1.4.
CVE-2026-54517
This medium-severity CVE scores 5.3 under a secondary CVSS source (NVD's own analysis pending). EPSS exploit probability: 0.2%, top 85% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- Lower severity and no public exploit yet
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 5.3
- EG Score
- 5.3(medium)
- EPSS
- 14.6%
- KEV
- Not listed
Published
June 23, 2026
Last Modified
June 27, 2026
Advisory Details (5)
Auto-updated Jun 24, 2026@JsonView bypass for setterless creator properties in jackson-databind · Advisory · FasterXML/jackson-databind · GitHub
https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-5hh8-q8hv-fr38Backport #5969: `@JsonView` by-passed for some "setterless" creator p…
Fix merged in FasterXML/jackson-databind PR #5970 on 2026-05-07 — awaiting tagged release
https://github.com/FasterXML/jackson-databind/pull/5970`@JsonView` by-passed for some "setterless" creator properties [CVE-2026-54517]
Fix merged in FasterXML/jackson-databind PR #5969 on 2026-05-06 — awaiting tagged release
https://github.com/FasterXML/jackson-databind/pull/5969commit 94c5d215b3af (FasterXML/jackson-databind)
Fix landed in FasterXML/jackson-databind commit 94c5d215b3af — awaiting tagged release
https://github.com/FasterXML/jackson-databind/commit/94c5d215b3af1505098c686405d9641f041a9962commit 5bf23edb4221 (FasterXML/jackson-databind)
Fix landed in FasterXML/jackson-databind commit 5bf23edb4221 — awaiting tagged release
https://github.com/FasterXML/jackson-databind/commit/5bf23edb4221f7dd2ec8e71ff6d26c61640f261dVendor Advisories for CVE-2026-54517(1)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 18× in last 7d / 34× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-07 18:00 UTCEG score recompute
- 2026-07-07 13:46 UTCEPSS rescore
- 2026-07-07 13:46 UTCEPSS rescore
- 2026-07-06 16:27 UTCEPSS rescore
- 2026-07-06 16:27 UTCEPSS rescore
- 2026-07-06 15:10 UTCEG score recompute
- 2026-07-06 02:23 UTCEPSS rescore
- 2026-07-06 02:23 UTCEPSS rescore
- 2026-07-05 13:42 UTCEG score recompute
- 2026-07-05 02:31 UTCEPSS rescore
- 2026-07-05 02:30 UTCEPSS rescore
- 2026-07-04 12:16 UTCEG score recompute
- 2026-07-04 06:31 UTCEPSS rescore
- 2026-07-04 06:31 UTCEPSS rescore
- 2026-07-03 10:45 UTCEG score recompute
- 2026-07-02 09:08 UTCEG score recompute
- 2026-07-01 15:07 UTCEPSS rescore
- 2026-07-01 07:37 UTCEG score recompute
- 2026-06-30 23:22 UTCEPSS rescore
- 2026-06-30 06:11 UTCEG score recompute
- 2026-06-29 14:06 UTCEPSS rescore
- 2026-06-29 14:06 UTCEPSS rescore
- 2026-06-29 04:45 UTCEG score recompute
- 2026-06-28 14:07 UTCEPSS rescore
- 2026-06-28 04:56 UTCEPSS rescore
Show 9 moreShow fewer
- 2026-06-28 04:56 UTCEPSS rescore
- 2026-06-28 03:18 UTCEG score recompute
- 2026-06-27 03:08 UTCEPSS rescore
- 2026-06-27 01:51 UTCEG score recompute
- 2026-06-26 00:24 UTCEG score recompute
- 2026-06-25 13:49 UTCEPSS rescore
- 2026-06-24 22:56 UTCEG score recompute
- 2026-06-24 14:05 UTCEPSS rescore
- 2026-06-23 21:30 UTCEG score recompute
Related CVEs(same CWE)
Same CWE
10 shownCWE-863
Frequently asked(5)
What is CVE-2026-54517?
When was CVE-2026-54517 disclosed?
Is CVE-2026-54517 actively exploited?
What is the CVSS score of CVE-2026-54517?
How do I remediate CVE-2026-54517?
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2026-54517
Is Your Infrastructure Affected by CVE-2026-54517?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.