Back to overview

CVE-2026-55772

HIGH
8.8
CVSS 3.1
Description
CedarJava is an open source Java implementation of the Cedar policy language, used for fine-grained authorization decisions. In versions prior to 2.3.6, 3.4.1 and 4.9.0, under certain circumstances, improper input handling could allow Record-to-Entity type confusion across the Java-Rust FFI boundary. CedarJava sends authorization requests to the Rust cedar-policy evaluator as JSON. The JSON protocol reserves magic single-key object shapes (__entity and __extn) for entity references and extension values. When serializing a CedarMap, there is no validation preventing these reserved keys from being used. If an integrating service builds a CedarMap from caller-supplied key/value data (such as request headers, user-defined metadata, or resource tags), an actor who controls those keys could cause the Rust evaluator to interpret a record as an entity reference. This issue requires the integrating service to build a CedarMap where the an actor controls the keys, and a policy must reference that value in a when/unless clause. This vulnerability has been fixed in versions 2.3.6, 3.4.1, and 4.9.

Metadata

CVE ID
CVE-2026-55772
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-17 14:34 UTC
Published
2026-07-13 18:44 UTC
Last updated
2026-07-13 18:44 UTC
Primary CWE
CWE-843
CWE-843: Access of Resource Using Incompatible Type ('Type C…
Vendor / Product
cedar-policy / cedar-java
Sources
cve.org  ·  NVD

Severity & Metrics

8.8 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products (1)
VendorProductPlatformVersions
cedar-policy cedar-java < 2.3.6, >= 3.1.2, < 3.4.1, >= 4.0.0, < 4.9.0
Weakness (CWE)
CWESourceDescription
CWE-843 cna CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')
CVSS scores (1)
ScoreSeverityVersionSourceVector
8.8 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References (1)
Back to overview