CVE-2026-54517
ADVISORY - githubSummary
Summary
In BeanDeserializer._deserializeUsingPropertyBased, the active-view (@JsonView) filter was applied only to creator properties; the regular property-buffering branch performed no prop.visibleInView(activeView) check. A change making SetterlessProperty.isMerging() return true routed setterless Collection/Map properties through this unguarded path, so a setterless collection annotated with a restricted @JsonView is populated from attacker JSON even when the active view excludes it.
Impact
View-restricted (e.g. admin-only) setterless collection/map properties can be written from untrusted JSON despite @JsonView gating — an access-control / mass-assignment bypass. No RCE or DoS.
Affected / Patched (verified via git tag --contains)
- 2.21 line:
>= 2.21.0, < 2.21.4-> fixed in 2.21.4 (backport94c5d21, #5970) - 3.x line:
>= 3.0.0, < 3.1.4-> fixed in 3.1.4 (#5969,5bf23ed)
Severity / CWE
Maintainer: minor. Reporter: HIGH. CWE-863 (Incorrect Authorization); related CWE-1220.
Credits
Omkhar Arasaratnam (@omkhar) - finder.
Common Weakness Enumeration (CWE)
Incorrect Authorization
GitHub
3.9
CVSS SCORE
5.3mediumDebian
-
CVSS SCORE
N/AlowUbuntu
-
CVSS SCORE
N/AmediumChainguard
CGA-rj4w-hw9m-ffxf
-
minimos
MINI-2mxf-x526-99cm
-
minimos
MINI-7j7q-ccw3-rhgr
-
minimos
MINI-7xm5-qfv2-pv34
-
minimos
MINI-fmpp-5w5x-gcgq
-
minimos
MINI-g5hc-m3hw-vqx5
-
minimos
MINI-jw3w-m4vf-pc6w
-
minimos
MINI-m3hw-g7gx-pwcx
-
minimos
MINI-mpvg-ccfw-qqqx
-
minimos
MINI-mqvq-fw5c-v834
-
minimos
MINI-p7fj-g5g8-38wf
-
minimos
MINI-p7rq-j2w9-qqhf
-
minimos
MINI-pfgf-rw8h-fvg9
-
minimos
MINI-pmww-xgv7-xhcg
-
minimos
MINI-q2pc-rh4f-m38v
-
minimos
MINI-rrmv-3f8g-6pwx
-
minimos
MINI-xqpq-25hh-7grv
-