Inverted Logic Vulnerability in CedarJava Open Source Java Implementation
CVE-2026-55771
8.8HIGH
What is CVE-2026-55771?
CedarJava, an open source Java implementation of the Cedar policy language, has a vulnerability where the EntityIdentifier.equals() method exhibits inverted logic for null and self-reference checks. This flaw results in returning true for null comparisons and false when checking self-references. While the vulnerability does not impact Cedar's authorization decisions, it poses a risk to integrators who may implement their own equality checks on entity identifiers if they are using versions earlier than 4.9.0. Users are advised to upgrade to version 4.9.0 or later to mitigate this issue.
Affected Version(s)
cedar-java < 4.9.0
