Input Handling Flaw in CedarJava Java Implementation Affecting Authorization Decisions
CVE-2026-55772
What is CVE-2026-55772?
CedarJava, an open-source Java implementation of the Cedar policy language, exhibits an improper input handling vulnerability in certain versions. This flaw arises from the lack of validation in the serialization process of CedarMaps, particularly when using reserved JSON keys for entity references. When the integrating service creates a CedarMap sourced from user-supplied data, malicious actors can manipulate key/value pairs to confuse record types with entity references, compromising authorization decisions. This has been addressed in CedarJava versions 2.3.6, 3.4.1, and 4.9. For more information, refer to the detailed advisory at GitHub.
Affected Version(s)
cedar-java < 2.3.6 < 2.3.6
cedar-java >= 3.1.2, < 3.4.1 < 3.1.2, 3.4.1
cedar-java >= 4.0.0, < 4.9.0 < 4.0.0, 4.9.0
