CVE-2026-55772
Deferred
Deferred - Pending Action
Type Confusion in CedarJava via Reserved JSON Keys
Vulnerability report for CVE-2026-55772, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-13
Last updated on: 2026-07-13
Assigner: GitHub, Inc.
Description
Description
CedarJava is an open source Java implementation of the Cedar policy language, used for fine-grained authorization decisions. In versions prior to 2.3.6, 3.4.1 and 4.9.0, under certain circumstances, improper input handling could allow Record-to-Entity type confusion across the Java-Rust FFI boundary. CedarJava sends authorization requests to the Rust cedar-policy evaluator as JSON. The JSON protocol reserves magic single-key object shapes (__entity and __extn) for entity references and extension values. When serializing a CedarMap, there is no validation preventing these reserved keys from being used. If an integrating service builds a CedarMap from caller-supplied key/value data (such as request headers, user-defined metadata, or resource tags), an actor who controls those keys could cause the Rust evaluator to interpret a record as an entity reference. This issue requires the integrating service to build a CedarMap where the an actor controls the keys, and a policy must reference that value in a when/unless clause. This vulnerability has been fixed in versions 2.3.6, 3.4.1, and 4.9.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cedarjava | cedarjava | to 2.3.6|end_excluding=3.4.1|end_excluding=4.9.0 (exc) |
| cedarjava | cedarjava | 2.3.6 |
| cedarjava | cedarjava | 3.4.1 |
| cedarjava | cedarjava | 4.9.0 |
| cedar_policy | cedarjava | to 2.3.6|end_excluding=3.4.1|end_excluding=4.9 (exc) |
| cedar_policy | cedarjava | 2.3.6 |
| cedar_policy | cedarjava | 3.4.1 |
| cedar_policy | cedarjava | 4.9 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-843 | The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. |