Back to overview

CVE-2026-55771

HIGH
8.8
CVSS 3.1
Description
CedarJava is an open source Java implementation of the Cedar policy language, used for fine-grained authorization decisions. In versions prior to 4.9.0, the EntityIdentifier.equals() has inverted null/self branches which could lead to incorrect equality comparisons. The EntityIdentifier.equals() method has inverted logic for null and self-reference checks, returning true for null comparisons and false for self-comparisons. This does not affect Cedar authorization decisions (computed in Rust from JSON), but could affect integrators who perform their own equality checks on entity identifiers. This issue has been fixed in version 4.9.0.

Metadata

CVE ID
CVE-2026-55771
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-17 14:34 UTC
Published
2026-07-13 19:28 UTC
Last updated
2026-07-13 19:28 UTC
Primary CWE
CWE-94
CWE-94: Improper Control of Generation of Code ('Code Inject…
Vendor / Product
cedar-policy / cedar-java
Sources
cve.org  ·  NVD

Severity & Metrics

8.8 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products (1)
VendorProductPlatformVersions
cedar-policy cedar-java < 4.9.0
Weakness (CWE)
CWESourceDescription
CWE-697 cna CWE-697: Incorrect Comparison
CWE-843 cna CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')
CWE-94 cna CWE-94: Improper Control of Generation of Code ('Code Injection')
CVSS scores (1)
ScoreSeverityVersionSourceVector
8.8 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References (1)
Back to overview