CedarJava CVE-2026-55773
HIGH
GHSA-qmch-v2q9-wg4p
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network reachable but exploitable only when integrator uses toCedarExpr() on user input (AC:H); requires app-level auth (PR:L); primary impact is authorization integrity, with limited confidentiality and no DoS.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
CedarJava is an open source Java implementation of the Cedar policy language, used for fine-grained authorization decisions. Under certain circumstances, improper input handling could allow policy injection.
Impact
Cedar-expression injection via unescaped toCedarExpr()
The toCedarExpr() method on Cedar Value types does not escape special characters (" or \) when converting values to Cedar source code. If an integrator uses toCedarExpr() to build policy text at runtime from user-controlled values, an actor could inject arbitrary Cedar expressions. For example, injecting || true into a permit ... when { ... } clause could make the permit unconditional, or injecting && false into a forbid clause could prevent the forbid from triggering.
This issue requires the integrator to use toCedarExpr() to build policy text at runtime from user-controlled input.
Impacted versions:
< 4.9
Patches
Addressed in CedarJava version 2.3.6, 3.4.1, and 4.9 and above. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.
Workarounds
Validate and sanitize all user-supplied input before passing it to toCedarExpr(). Avoid building policy text at runtime from user-controlled values.
References
If you have any questions or comments about this advisory, we ask that you contact us directly via email to [cedar-policy-security@lists.cncf.io](mailto:cedar-policy-security@lists.cncf.io). Please do not create a public GitHub issue.
Articles & Coverage 1
AnalysisAI
Cedar policy injection in CedarJava (com.cedarpolicy:cedar-java) versions below 2.3.6, 3.4.1, and 4.9.0 allows attackers to alter authorization outcomes by smuggling Cedar expressions through unescaped string values. The flaw is in toCedarExpr() on Cedar Value types, which fails to escape quote and backslash characters when serializing user-controlled values into policy text. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The integrating application must call toCedarExpr() on Cedar Value types and concatenate the result into Cedar policy source text at runtime, with at least one of the interpolated values coming from attacker-controlled input (e.g., HTTP request fields, tenant metadata). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, 8.8) overstates real-world risk for most consumers: exploitability is fully gated on the integrator pattern of feeding user-controlled values into toCedarExpr() to build policy text at runtime, which is an unusual integration choice rather than the library's default usage. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An application uses CedarJava to dynamically assemble a permit policy by interpolating a user-supplied attribute (for example, a tenant-supplied display name) into a when-clause via toCedarExpr(). The attacker submits a value such as foo" || true || "foo, which, after unescaped serialization, terminates the original string literal and appends '|| true' to the condition, causing the permit clause to evaluate true unconditionally and granting access the policy was meant to deny. … |
| Remediation | Vendor-released patches are available: upgrade com.cedarpolicy:cedar-java to 2.3.6, 3.4.1, or 4.9.0 (or later) depending on the release line you track, per GHSA-qmch-v2q9-wg4p (https://github.com/cedar-policy/cedar-java/security/advisories/GHSA-qmch-v2q9-wg4p). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory systems using com.cedarpolicy:cedar-java versions below 2.3.6, 3.4.1, and 4.9.0. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
Type confusion in CedarJava versions prior to 2.3.6, 3.4.1, and 4.9 allows authenticated remote attackers to manipulate
Remote code execution in Spinnaker's Orca and Rosco services allows authenticated users to achieve arbitrary Java class
Denial of service in Steeltoe.Discovery.Eureka client (.NET) versions prior to 4.2.0 and 3.4.0 allows a remote Eureka re
Regular expression denial of service in HAPI FHIR's DSTU2 FHIRPathEngine allows unauthenticated remote attackers to exha
Share
External POC / Exploit Code
Leaving vuln.today