AIKIDO-2026-10465
github.com/cedar-policy/cedar-go is vulnerable to Access of Resource Using Incompatible Type ('Type Confusion')
81
High Risk
This Affects:
github.com/cedar-policy/cedar-goTL;DR
Affected versions of this package are affected by a type confusion vulnerability in the cedar-go JSON value parser, where JSON objects containing string-valued type and id keys are incorrectly parsed as EntityUID values instead of Record objects, silently dropping all other fields. Because this coercion happens recursively across nested values, Cedar policies that expect record fields may instead evaluate unexpected EntityUID objects, causing expressions to fail and authorization decisions to be computed incorrectly. An attacker able to supply JSON entity data, context, or nested record values can craft objects with type and id keys to strip security-relevant fields during parsing and trigger policy mis-evaluation, potentially bypassing intended authorization checks.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
github.com/cedar-policy/cedar-go is vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') in versions 0.2.0 - 1.5.2.
How to fix this
Upgrade the github.com/cedar-policy/cedar-go library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant