CVE-2026-54517

ADVISORY - github

Summary

In BeanDeserializer._deserializeUsingPropertyBased, the active-view (@JsonView) filter was applied only to creator properties; the regular property-buffering branch performed no prop.visibleInView(activeView) check. A change making SetterlessProperty.isMerging() return true routed setterless Collection/Map properties through this unguarded path, so a setterless collection annotated with a restricted @JsonView is populated from attacker JSON even when the active view excludes it.

Impact

View-restricted (e.g. admin-only) setterless collection/map properties can be written from untrusted JSON despite @JsonView gating — an access-control / mass-assignment bypass. No RCE or DoS.

Affected / Patched (verified via `git tag --contains`)

2.21 line: >= 2.21.0, < 2.21.4 -> fixed in 2.21.4 (backport 94c5d21, #5970)
3.x line: >= 3.0.0, < 3.1.4 -> fixed in 3.1.4 (#5969, 5bf23ed)

Severity / CWE

Maintainer: minor. Reporter: HIGH. CWE-863 (Incorrect Authorization); related CWE-1220.

Credits

Omkhar Arasaratnam (@omkhar) - finder.

Common Weakness Enumeration (CWE)

ADVISORY - github

CWE-863⁠

Incorrect Authorization

Impacted images

Advisories

Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

CVE-2026-54517

Summary

Summary

Impact

Affected / Patched (verified via git tag --contains)

Severity / CWE

Credits

Common Weakness Enumeration (CWE)

CWE-863⁠

Impacted images

Sign in to Docker Scout

Affected / Patched (verified via `git tag --contains`)