CVE-2026-55772
Deferred Deferred - Pending Action

Type Confusion in CedarJava via Reserved JSON Keys

Vulnerability report for CVE-2026-55772, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: GitHub, Inc.

Description

CedarJava is an open source Java implementation of the Cedar policy language, used for fine-grained authorization decisions. In versions prior to 2.3.6, 3.4.1 and 4.9.0, under certain circumstances, improper input handling could allow Record-to-Entity type confusion across the Java-Rust FFI boundary. CedarJava sends authorization requests to the Rust cedar-policy evaluator as JSON. The JSON protocol reserves magic single-key object shapes (__entity and __extn) for entity references and extension values. When serializing a CedarMap, there is no validation preventing these reserved keys from being used. If an integrating service builds a CedarMap from caller-supplied key/value data (such as request headers, user-defined metadata, or resource tags), an actor who controls those keys could cause the Rust evaluator to interpret a record as an entity reference. This issue requires the integrating service to build a CedarMap where the an actor controls the keys, and a policy must reference that value in a when/unless clause. This vulnerability has been fixed in versions 2.3.6, 3.4.1, and 4.9.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-14
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 8 associated CPEs
Vendor Product Version / Range
cedarjava cedarjava to 2.3.6|end_excluding=3.4.1|end_excluding=4.9.0 (exc)
cedarjava cedarjava 2.3.6
cedarjava cedarjava 3.4.1
cedarjava cedarjava 4.9.0
cedar_policy cedarjava to 2.3.6|end_excluding=3.4.1|end_excluding=4.9 (exc)
cedar_policy cedarjava 2.3.6
cedar_policy cedarjava 3.4.1
cedar_policy cedarjava 4.9

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-843 The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
AI Quick Actions have not been generated yet.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55772. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart