CVE-2026-55773
cedar-policy · cedar-java
CedarJava is vulnerable to code injection, allowing an authenticated attacker to execute arbitrary code due to improper control of code generation.
Executive summary
A high-severity code injection vulnerability in CedarJava enables authenticated attackers to execute arbitrary code, potentially compromising the integrity and availability of the authorization system.
Vulnerability
This is a code injection vulnerability (CWE-94) stemming from improper control of code generation. The CVSS vector (PR:L) indicates that an attacker must possess low-level privileges to successfully exploit this flaw.
Business impact
Successful exploitation allows for arbitrary code execution, which could lead to full system compromise, unauthorized data access, or the manipulation of fine-grained authorization decisions. With a CVSS score of 8.8, this vulnerability represents a significant risk to the security of the application infrastructure, necessitating immediate attention.
Remediation
Immediate Action: Update the com.cedarpolicy:cedar-java Maven package to version 2.3.6, 3.4.1, or 4.9.0 depending on the currently deployed major release.
Proactive Monitoring: Audit application access logs for unusual policy-related activity or unexpected code execution patterns.
Compensating Controls: Ensure the application runs with the principle of least privilege to limit the impact of potential arbitrary code execution.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Given the high severity and the potential for complete system compromise, organizations should prioritize updating the cedar-java library to the specified patched versions. Organizations should verify their current version against the affected ranges and apply the relevant patch immediately to eliminate this attack vector.