Input Handling Flaw in CedarJava Java Implementation Affecting Authorization Decisions
CVE-2026-55772

8.8HIGH

Key Information:

Vendor
CVE Published:
13 July 2026

What is CVE-2026-55772?

CedarJava, an open-source Java implementation of the Cedar policy language, exhibits an improper input handling vulnerability in certain versions. This flaw arises from the lack of validation in the serialization process of CedarMaps, particularly when using reserved JSON keys for entity references. When the integrating service creates a CedarMap sourced from user-supplied data, malicious actors can manipulate key/value pairs to confuse record types with entity references, compromising authorization decisions. This has been addressed in CedarJava versions 2.3.6, 3.4.1, and 4.9. For more information, refer to the detailed advisory at GitHub.

Affected Version(s)

cedar-java < 2.3.6 < 2.3.6

cedar-java >= 3.1.2, < 3.4.1 < 3.1.2, 3.4.1

cedar-java >= 4.0.0, < 4.9.0 < 4.0.0, 4.9.0

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.