Back to overview

CVE-2026-55773

HIGH
8.8
CVSS 3.1
Description
CedarJava is an open source Java implementation of the Cedar policy language, used for fine-grained authorization decisions. In versions prior to 2.3.6, 3.4.1 and 4.9.0, under certain circumstances, improper input handling could allow Cedar-expression injection via unescaped toCedarExpr(). The toCedarExpr() method on Cedar Value types does not escape special characters (" or \) when converting values to Cedar source code. If an integrator uses toCedarExpr() to build policy text at runtime from user-controlled values, an actor could inject arbitrary Cedar expressions. For example, injecting || true into a permit ... when { ... } clause could make the permit unconditional, or injecting && false into a forbid clause could prevent the forbid from triggering. This issue requires the integrator to use toCedarExpr() to build policy text at runtime from user-controlled input. This vulnerability has been fixed in versions 2.3.6, 3.4.1, and 4.9.0.

Metadata

CVE ID
CVE-2026-55773
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-17 14:34 UTC
Published
2026-07-13 19:17 UTC
Last updated
2026-07-13 19:17 UTC
Primary CWE
CWE-94
CWE-94: Improper Control of Generation of Code ('Code Inject…
Vendor / Product
cedar-policy / cedar-java
Sources
cve.org  ·  NVD

Severity & Metrics

8.8 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products (1)
VendorProductPlatformVersions
cedar-policy cedar-java < 2.3.6, >= 3.1.2, < 3.4.1, >= 4.0.0, < 4.9.0
Weakness (CWE)
CWESourceDescription
CWE-94 cna CWE-94: Improper Control of Generation of Code ('Code Injection')
CVSS scores (1)
ScoreSeverityVersionSourceVector
8.8 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References (1)
Back to overview