Inverted Logic Vulnerability in CedarJava Open Source Java Implementation
CVE-2026-55771

8.8HIGH

Key Information:

Vendor
CVE Published:
13 July 2026

What is CVE-2026-55771?

CedarJava, an open source Java implementation of the Cedar policy language, has a vulnerability where the EntityIdentifier.equals() method exhibits inverted logic for null and self-reference checks. This flaw results in returning true for null comparisons and false when checking self-references. While the vulnerability does not impact Cedar's authorization decisions, it poses a risk to integrators who may implement their own equality checks on entity identifiers if they are using versions earlier than 4.9.0. Users are advised to upgrade to version 4.9.0 or later to mitigate this issue.

Affected Version(s)

cedar-java < 4.9.0

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.