CVE-2026-55772
HIGH
8.8
CVSS 3.1
Description
CedarJava is an open source Java implementation of the Cedar policy language, used for fine-grained authorization decisions. In versions prior to 2.3.6, 3.4.1 and 4.9.0, under certain circumstances, improper input handling could allow Record-to-Entity type confusion across the Java-Rust FFI boundary. CedarJava sends authorization requests to the Rust cedar-policy evaluator as JSON. The JSON protocol reserves magic single-key object shapes (__entity and __extn) for entity references and extension values. When serializing a CedarMap, there is no validation preventing these reserved keys from being used. If an integrating service builds a CedarMap from caller-supplied key/value data (such as request headers, user-defined metadata, or resource tags), an actor who controls those keys could cause the Rust evaluator to interpret a record as an entity reference. This issue requires the integrating service to build a CedarMap where the an actor controls the keys, and a policy must reference that value in a when/unless clause. This vulnerability has been fixed in versions 2.3.6, 3.4.1, and 4.9.
Metadata
Severity & Metrics
8.8
HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| cedar-policy | cedar-java | — | < 2.3.6, >= 3.1.2, < 3.4.1, >= 4.0.0, < 4.9.0 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| CWE-843 | cna | CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') |
CVSS scores (1)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 8.8 | HIGH | 3.1 | cna | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
References (1)
- https://github.com/cedar-policy/cedar-java/security/advisories/GHSA-93g4-m6xv-cmvr https://github.com/cedar-policy/cedar-java/security/advisories/GHSA-93g4-m6xv-cmvr