Home

Description

CedarJava is an open source Java implementation of the Cedar policy language, used for fine-grained authorization decisions. In versions prior to 4.9.0, the EntityIdentifier.equals() has inverted null/self branches which could lead to incorrect equality comparisons. The EntityIdentifier.equals() method has inverted logic for null and self-reference checks, returning true for null comparisons and false for self-comparisons. This does not affect Cedar authorization decisions (computed in Rust from JSON), but could affect integrators who perform their own equality checks on entity identifiers. This issue has been fixed in version 4.9.0.

PUBLISHED Reserved 2026-06-17 | Published 2026-07-13 | Updated 2026-07-14 | Assigner GitHub_M




HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-94: Improper Control of Generation of Code ('Code Injection')

CWE-697: Incorrect Comparison

CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')

Product status

< 4.9.0
affected

References

github.com/...r-java/security/advisories/GHSA-4r9r-4425-74p7

cve.org (CVE-2026-55771)

nvd.nist.gov (CVE-2026-55771)

Download JSON