CVE-2026-54517

ADVISORY - github

Summary

In BeanDeserializer._deserializeUsingPropertyBased, the active-view (@JsonView) filter was applied only to creator properties; the regular property-buffering branch performed no prop.visibleInView(activeView) check. A change making SetterlessProperty.isMerging() return true routed setterless Collection/Map properties through this unguarded path, so a setterless collection annotated with a restricted @JsonView is populated from attacker JSON even when the active view excludes it.

Impact

View-restricted (e.g. admin-only) setterless collection/map properties can be written from untrusted JSON despite @JsonView gating — an access-control / mass-assignment bypass. No RCE or DoS.

Affected / Patched (verified via `git tag --contains`)

2.21 line: >= 2.21.0, < 2.21.4 -> fixed in 2.21.4 (backport 94c5d21, #5970)
3.x line: >= 3.0.0, < 3.1.4 -> fixed in 3.1.4 (#5969, 5bf23ed)

Severity / CWE

Maintainer: minor. Reporter: HIGH. CWE-863 (Incorrect Authorization); related CWE-1220.

Credits

Omkhar Arasaratnam (@omkhar) - finder.

Common Weakness Enumeration (CWE)

ADVISORY - github

CWE-863⁠

Incorrect Authorization

Impacted images

Advisories

GitHub

CREATED

4 hours ago

UPDATED

4 hours ago

ADVISORY IDGHSA-5hh8-q8hv-fr38⁠

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-863⁠

CVSS SCORE

5.3medium

CVE-2026-54517

Summary

Summary

Impact

Affected / Patched (verified via git tag --contains)

Severity / CWE

Credits

Common Weakness Enumeration (CWE)

CWE-863⁠

Advisories

GitHub

CVSS SCORE

Affected / Patched (verified via `git tag --contains`)