Home

Description

CedarJava is an open source Java implementation of the Cedar policy language, used for fine-grained authorization decisions. In versions prior to 2.3.6, 3.4.1 and 4.9.0, under certain circumstances, improper input handling could allow Record-to-Entity type confusion across the Java-Rust FFI boundary. CedarJava sends authorization requests to the Rust cedar-policy evaluator as JSON. The JSON protocol reserves magic single-key object shapes (__entity and __extn) for entity references and extension values. When serializing a CedarMap, there is no validation preventing these reserved keys from being used. If an integrating service builds a CedarMap from caller-supplied key/value data (such as request headers, user-defined metadata, or resource tags), an actor who controls those keys could cause the Rust evaluator to interpret a record as an entity reference. This issue requires the integrating service to build a CedarMap where the an actor controls the keys, and a policy must reference that value in a when/unless clause. This vulnerability has been fixed in versions 2.3.6, 3.4.1, and 4.9.

PUBLISHED Reserved 2026-06-17 | Published 2026-07-13 | Updated 2026-07-13 | Assigner GitHub_M




HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')

Product status

< 2.3.6
affected

>= 3.1.2, < 3.4.1
affected

>= 4.0.0, < 4.9.0
affected

References

github.com/...r-java/security/advisories/GHSA-93g4-m6xv-cmvr

cve.org (CVE-2026-55772)

nvd.nist.gov (CVE-2026-55772)

Download JSON