CVE-2026-55772: CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') in cedar-policy cedar-java
CVE-2026-55772 is a high-severity vulnerability in cedar-java, an open source Java implementation of the Cedar policy language. It involves a type confusion issue across the Java-Rust FFI boundary where improper input handling allows an attacker controlling certain keys in a CedarMap to cause the Rust evaluator to misinterpret a record as an entity reference. This occurs because the JSON protocol reserves special keys (__entity and __extn) without validation preventing their misuse. The vulnerability affects cedar-java versions prior to 2.3.6, versions from 3.0.0 up to but not including 3.4.1, and versions from 4.0.0 up to but not including 4.9.0. The issue requires specific conditions involving the integrating service and policy references. Fixes are available in versions 2.3.6, 3.4.1, and 4.9.0.
AI Analysis
Technical Summary
CVE-2026-55772 is a type confusion vulnerability (CWE-843) in cedar-java where improper input validation allows an attacker controlling keys in a CedarMap to exploit reserved JSON keys (__entity and __extn) used for entity references and extension values. This leads to the Rust cedar-policy evaluator interpreting a record as an entity reference incorrectly. The vulnerability arises from the lack of validation during serialization of CedarMap objects sent as JSON across the Java-Rust FFI boundary. Exploitation requires the integrating service to build a CedarMap from attacker-controlled keys and a policy referencing those values in a when/unless clause. The vulnerability affects cedar-java versions <2.3.6, >=3.0.0 <3.4.1, and >=4.0.0 <4.9.0 and has been fixed in versions 2.3.6, 3.4.1, and 4.9.0.
Potential Impact
Successful exploitation can lead to unauthorized access or privilege escalation due to the Rust evaluator misinterpreting data types, resulting in potentially high confidentiality, integrity, and availability impacts as indicated by the CVSS score of 8.8 (high). The attacker must control keys in the CedarMap and have a policy referencing those keys, which may limit exploitability depending on the integrating service's design.
Mitigation Recommendations
A fix is available in cedar-java versions 2.3.6, 3.4.1, and 4.9.0. Users should upgrade to one of these versions to remediate the vulnerability. No vendor advisory content contradicts this; therefore, upgrading to a fixed version is the recommended mitigation.
CVE-2026-55772: CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') in cedar-policy cedar-java
Description
CVE-2026-55772 is a high-severity vulnerability in cedar-java, an open source Java implementation of the Cedar policy language. It involves a type confusion issue across the Java-Rust FFI boundary where improper input handling allows an attacker controlling certain keys in a CedarMap to cause the Rust evaluator to misinterpret a record as an entity reference. This occurs because the JSON protocol reserves special keys (__entity and __extn) without validation preventing their misuse. The vulnerability affects cedar-java versions prior to 2.3.6, versions from 3.0.0 up to but not including 3.4.1, and versions from 4.0.0 up to but not including 4.9.0. The issue requires specific conditions involving the integrating service and policy references. Fixes are available in versions 2.3.6, 3.4.1, and 4.9.0.
CVSS v3.1
Score 8.8high
Affected software
pkg:maven/io.cedarpolicy/cedar-javaRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-55772 is a type confusion vulnerability (CWE-843) in cedar-java where improper input validation allows an attacker controlling keys in a CedarMap to exploit reserved JSON keys (__entity and __extn) used for entity references and extension values. This leads to the Rust cedar-policy evaluator interpreting a record as an entity reference incorrectly. The vulnerability arises from the lack of validation during serialization of CedarMap objects sent as JSON across the Java-Rust FFI boundary. Exploitation requires the integrating service to build a CedarMap from attacker-controlled keys and a policy referencing those values in a when/unless clause. The vulnerability affects cedar-java versions <2.3.6, >=3.0.0 <3.4.1, and >=4.0.0 <4.9.0 and has been fixed in versions 2.3.6, 3.4.1, and 4.9.0.
Potential Impact
Successful exploitation can lead to unauthorized access or privilege escalation due to the Rust evaluator misinterpreting data types, resulting in potentially high confidentiality, integrity, and availability impacts as indicated by the CVSS score of 8.8 (high). The attacker must control keys in the CedarMap and have a policy referencing those keys, which may limit exploitability depending on the integrating service's design.
Mitigation Recommendations
A fix is available in cedar-java versions 2.3.6, 3.4.1, and 4.9.0. Users should upgrade to one of these versions to remediate the vulnerability. No vendor advisory content contradicts this; therefore, upgrading to a fixed version is the recommended mitigation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-17T14:34:51.881Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a55366a68715ace43b0b29d
Added to database: 07/13/2026, 19:03:06 UTC
Last enriched: 07/13/2026, 19:17:37 UTC
Last updated: 07/13/2026, 21:40:34 UTC
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.