{"api_version":"1","generated_at":"2026-07-14T00:10:35+00:00","cve":"CVE-2026-55771","urls":{"html":"https://cve.report/CVE-2026-55771","api":"https://cve.report/api/cve/CVE-2026-55771.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-55771","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-55771"},"summary":{"title":"CedarJava has policy injection, type confusion, and incorrect equality comparison vulnerabilities","description":"CedarJava is an open source Java implementation of the Cedar policy language, used for fine-grained authorization decisions. In versions prior to 4.9.0, the EntityIdentifier.equals() has inverted null/self branches which could lead to incorrect equality comparisons. The EntityIdentifier.equals() method has inverted logic for null and self-reference checks, returning true for null comparisons and false for self-comparisons. This does not affect Cedar authorization decisions (computed in Rust from JSON), but could affect integrators who perform their own equality checks on entity identifiers. This issue has been fixed in version 4.9.0.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-07-13 20:16:48","updated_at":"2026-07-13 20:21:44"},"problem_types":["CWE-94","CWE-697","CWE-843","CWE-94 CWE-94: Improper Control of Generation of Code ('Code Injection')","CWE-697 CWE-697: Incorrect Comparison","CWE-843 CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')"],"metrics":[{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://github.com/cedar-policy/cedar-java/security/advisories/GHSA-4r9r-4425-74p7","name":"https://github.com/cedar-policy/cedar-java/security/advisories/GHSA-4r9r-4425-74p7","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-55771","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-55771","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"cedar-policy","product":"cedar-java","version":"affected < 4.9.0","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"product":"cedar-java","vendor":"cedar-policy","versions":[{"status":"affected","version":"< 4.9.0"}]}],"descriptions":[{"lang":"en","value":"CedarJava is an open source Java implementation of the Cedar policy language, used for fine-grained authorization decisions. In versions prior to 4.9.0, the EntityIdentifier.equals() has inverted null/self branches which could lead to incorrect equality comparisons. The EntityIdentifier.equals() method has inverted logic for null and self-reference checks, returning true for null comparisons and false for self-comparisons. This does not affect Cedar authorization decisions (computed in Rust from JSON), but could affect integrators who perform their own equality checks on entity identifiers. This issue has been fixed in version 4.9.0."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-94","description":"CWE-94: Improper Control of Generation of Code ('Code Injection')","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-697","description":"CWE-697: Incorrect Comparison","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-843","description":"CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-13T19:28:00.835Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/cedar-policy/cedar-java/security/advisories/GHSA-4r9r-4425-74p7","tags":["x_refsource_CONFIRM"],"url":"https://github.com/cedar-policy/cedar-java/security/advisories/GHSA-4r9r-4425-74p7"}],"source":{"advisory":"GHSA-4r9r-4425-74p7","discovery":"UNKNOWN"},"title":"CedarJava has policy injection, type confusion, and incorrect equality comparison vulnerabilities"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-55771","datePublished":"2026-07-13T19:28:00.835Z","dateReserved":"2026-06-17T14:34:51.881Z","dateUpdated":"2026-07-13T19:28:00.835Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-13 20:16:48","lastModifiedDate":"2026-07-13 20:21:44","problem_types":["CWE-94","CWE-697","CWE-843","CWE-94 CWE-94: Improper Control of Generation of Code ('Code Injection')","CWE-697 CWE-697: Incorrect Comparison","CWE-843 CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"55771","Ordinal":"1","Title":"CedarJava has policy injection, type confusion, and incorrect eq","CVE":"CVE-2026-55771","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"55771","Ordinal":"1","NoteData":"CedarJava is an open source Java implementation of the Cedar policy language, used for fine-grained authorization decisions. In versions prior to 4.9.0, the EntityIdentifier.equals() has inverted null/self branches which could lead to incorrect equality comparisons. The EntityIdentifier.equals() method has inverted logic for null and self-reference checks, returning true for null comparisons and false for self-comparisons. This does not affect Cedar authorization decisions (computed in Rust from JSON), but could affect integrators who perform their own equality checks on entity identifiers. This issue has been fixed in version 4.9.0.","Type":"Description","Title":"CedarJava has policy injection, type confusion, and incorrect eq"}]}}}