Threat Advisory

CedarJava Vulnerabilities Expose FFI Type Manipulation

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in CedarJava, the Java implementation of the Cedar policy language, affecting versions prior to 2.3.6, 3.4.1, and 4.9.0. The issues include policy injection (code injection) and type‑confusion across the Java‑Rust FFI boundary, which can be leveraged to bypass authorization logic or manipulate entity references. Exploitation requires an attacker to supply crafted input that is incorporated into policy expressions or map keys without proper sanitisation. Successful exploitation could result in unauthorized access to protected resources, privilege escalation, or denial of legitimate operations, posing significant compliance and financial risk to organisations that rely on fine‑grained access control.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in CedarJava, the Java implementation of the Cedar policy language, affecting versions prior to 2.3.6, 3.4.1, and 4.9.0. The issues include policy injection (code injection) and type‑confusion across the Java‑Rust FFI boundary, which can be leveraged to bypass authorization logic or manipulate entity references. Exploitation requires an attacker to supply crafted input that is incorporated into policy expressions or map keys without proper sanitisation. Successful exploitation could result in unauthorized access to protected resources, privilege escalation, or denial of legitimate operations, posing significant compliance and financial risk to organisations that rely on fine‑grained access control.[emaillocker id="1283"]

  • CVE-2026-55773 with a CVSS score of 8.8 – The vulnerability allows policy injection through the toCedarExpr() method, which fails to escape special characters, enabling an attacker who can influence policy‑building input to embed arbitrary Cedar expressions. Exploitation requires the integrator to construct policy text at runtime from user‑controlled values.
  • CVE-2026-55772 with a CVSS score of 8.8 – The type‑confusion flaw arises from unvalidated reserved keys (__entity, __extn) in CedarMap objects, permitting an attacker who can control map keys to cause the Rust evaluator to interpret records as entity references. Exploitation depends on services that build CedarMap structures from external data such as request headers or metadata.

Both flaws expose any service that builds Cedar policies or maps from external data to a complete bypass of authorization checks, potentially granting unauthorized access or altering access decisions. Given the high CVSS scores and the ease of triggering the vulnerabilities, remediation should be treated as urgent. Failure to address these issues could lead to data breaches, regulatory penalties, and loss of customer trust.

RECOMMENDATION:

  • We recommend you to update CedarJava to version 2.3.6 or 3.4.1 or 4.9.0.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-qmch-v2q9-wg4p
https://github.com/advisories/GHSA-93g4-m6xv-cmvr

[/emaillocker]
crossmenu