Input Handling Flaw in CedarJava by Cedar Policy
CVE-2026-55773
What is CVE-2026-55773?
CedarJava, an open-source Java implementation for the Cedar policy language, is susceptible to an input handling flaw that enables Cedar-expression injection in versions prior to 2.3.6, 3.4.1, and 4.9.0. The 'toCedarExpr()' method does not adequately escape special characters when converting user-controlled values to Cedar source code. This oversight allows malicious actors to inject arbitrary Cedar expressions, potentially compromising the integrity of authorization policies. For instance, a user could manipulate a policy by injecting || true to make a permit unconditional, or && false to prevent a forbid clause from activating. Leveraging this vulnerability requires improper use of 'toCedarExpr()' to process user inputs, emphasizing the need for secure coding practices in compliance with best policy management standards.
Affected Version(s)
cedar-java < 2.3.6 < 2.3.6
cedar-java >= 3.1.2, < 3.4.1 < 3.1.2, 3.4.1
cedar-java >= 4.0.0, < 4.9.0 < 4.0.0, 4.9.0
