PatchSiren

cedar-policy CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH cedar-policy CVE published 2026-07-13

CVE-2026-55773

CVE-2026-55773 is a high-severity vulnerability in CedarJava, an open-source Java implementation of the Cedar policy language. The vulnerability allows for cedar-expression injection via unescaped toCedarExpr(). This issue arises from the toCedarExpr() method on Cedar Value types not escaping special characters (such as quotes or backslashes) when converting values to Cedar source code. If an integrator u [truncated]

HIGH cedar-policy CVE published 2026-07-13

CVE-2026-55771

CedarJava, an open-source Java implementation of the Cedar policy language used for fine-grained authorization decisions, has a vulnerability in versions prior to 4.9.0. The EntityIdentifier.equals() method has inverted logic for null and self-reference checks, potentially leading to incorrect equality comparisons. This issue does not affect Cedar authorization decisions but may impact integrators perform [truncated]

HIGH cedar-policy CVE published 2026-07-13

CVE-2026-55772

CedarJava, an open-source Java implementation of the Cedar policy language, is vulnerable to a Record-to-Entity type confusion attack. In versions prior to 2.3.6, 3.4.1, and 4.9.0, improper input handling could allow an attacker to cause the Rust cedar-policy evaluator to interpret a record as an entity reference. This requires the integrating service to build a CedarMap where an actor controls the keys, [truncated]