CVE-2026-55771 in CedarJavainfo

Summary

by MITRE • 07/13/2026

CedarJava is an open source Java implementation of the Cedar policy language, used for fine-grained authorization decisions. In versions prior to 4.9.0, the EntityIdentifier.equals() has inverted null/self branches which could lead to incorrect equality comparisons. The EntityIdentifier.equals() method has inverted logic for null and self-reference checks, returning true for null comparisons and false for self-comparisons. This does not affect Cedar authorization decisions (computed in Rust from JSON), but could affect integrators who perform their own equality checks on entity identifiers. This issue has been fixed in version 4.9.0.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/13/2026

The CedarJava library represents a critical component in implementing fine-grained authorization systems through its Java-based implementation of the Cedar policy language. This open source project serves as a bridge between Java applications and the Cedar authorization framework, enabling developers to enforce complex access control policies. The vulnerability resides within the EntityIdentifier class which is fundamental to representing entities within the Cedar system, making this issue particularly concerning for security implementations that rely on proper entity identification and comparison logic.

The technical flaw manifests in the EntityIdentifier.equals() method where inverted conditional logic creates a dangerous inconsistency in equality comparisons. Specifically, the implementation erroneously returns true when comparing an EntityIdentifier to null, while simultaneously returning false when comparing an EntityIdentifier to itself. This fundamental logical error directly violates the mathematical properties of equality relations and creates unpredictable behavior in any code that depends on proper entity identification. The vulnerability can be categorized under CWE-483 as improper control flow implementation, specifically involving inverted conditional logic that leads to incorrect program behavior.

The operational impact extends beyond simple code correctness issues since this flaw affects integrators who perform their own equality checks on entity identifiers rather than relying solely on Cedar's authorization decision engine. While the core Cedar authorization decisions are computed in Rust from JSON inputs and remain unaffected, the integrity of Java-based applications that utilize CedarJava for entity management becomes compromised. This creates potential security risks when developers assume proper equality behavior for entity identification, potentially leading to incorrect access control decisions or authorization bypasses in custom integrations. The issue affects any application that depends on correct entity identifier comparison logic for authorization decisions.

Security practitioners should consider this vulnerability in the context of ATT&CK technique T1078 which addresses valid accounts and legitimate credentials. When entity identifiers behave inconsistently, it can lead to unauthorized access patterns or privilege escalation scenarios where improper equality checks might allow attackers to manipulate entity references and bypass intended access controls. The fix implemented in version 4.9.0 resolves the inverted null/self branches by correcting the conditional logic to properly handle null comparisons and self-references according to standard equality semantics. Organizations using CedarJava should prioritize upgrading to version 4.9.0 or later to ensure proper entity identifier behavior and maintain the integrity of their authorization systems, particularly in environments where custom equality checks are performed on entity identifiers.

Responsible

GitHub M

Reservation

06/17/2026

Disclosure

07/13/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!