Input Handling Flaw in CedarJava by Cedar Policy
CVE-2026-55773

8.8HIGH

Key Information:

Vendor
CVE Published:
13 July 2026

What is CVE-2026-55773?

CedarJava, an open-source Java implementation for the Cedar policy language, is susceptible to an input handling flaw that enables Cedar-expression injection in versions prior to 2.3.6, 3.4.1, and 4.9.0. The 'toCedarExpr()' method does not adequately escape special characters when converting user-controlled values to Cedar source code. This oversight allows malicious actors to inject arbitrary Cedar expressions, potentially compromising the integrity of authorization policies. For instance, a user could manipulate a policy by injecting || true to make a permit unconditional, or && false to prevent a forbid clause from activating. Leveraging this vulnerability requires improper use of 'toCedarExpr()' to process user inputs, emphasizing the need for secure coding practices in compliance with best policy management standards.

Affected Version(s)

cedar-java < 2.3.6 < 2.3.6

cedar-java >= 3.1.2, < 3.4.1 < 3.1.2, 3.4.1

cedar-java >= 4.0.0, < 4.9.0 < 4.0.0, 4.9.0

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.