Skip to main content

Suse CVE-2026-33729

MEDIUM
Improper Input Validation (CWE-20)
2026-03-26 https://github.com/openfga/openfga
Medium
Disputed · 5.8 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
GitHub Advisory PRIMARY
5.8 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Mar 26, 2026 - 17:30 vuln.today
Patch released
Mar 26, 2026 - 17:30 nvd
Patch available
CVE Published
Mar 26, 2026 - 17:21 nvd
MEDIUM 5.8

DescriptionGitHub Advisory

Description

In OpenFGA, under specific conditions, models using conditions with caching enabled can result in two different check requests producing the same cache key. This can result in OpenFGA reusing an earlier cached result for a different request.

Am I Affected?

Users are affected if the following preconditions are met:

  1. The model has relations which rely on condition evaluation.
  2. Caching is enabled.

Fix

Upgrade to OpenFGA v1.13.1.

Acknowledgement

OpenFGA would like to thank @Amemoyoi for the discovery and responsible disclosure.

AnalysisAI

OpenFGA's condition-based caching mechanism can generate identical cache keys for different authorization check requests, allowing attackers to bypass access controls by triggering cache reuse of previously evaluated decisions. This affects deployments with relations that evaluate conditions and have caching enabled. Organizations should upgrade to OpenFGA v1.13.1 to remediate the cache poisoning vulnerability.

Technical ContextAI

OpenFGA is an open-source fine-grained authorization system written in Go (pkg:go/github.com_openfga_openfga). The vulnerability stems from inadequate cache key generation in the condition evaluation subsystem, classified under CWE-20 (Improper Input Validation). When models incorporate relation conditions-complex authorization logic that evaluates contextual constraints-the caching layer fails to differentiate between semantically distinct permission checks, creating cache collisions. An attacker positioned to issue sequential authorization requests can exploit this deterministic cache key collision to retrieve cached authorization results from prior requests with different contexts, effectively bypassing intended permission boundaries. The root cause is insufficient entropy or scope isolation in the cache key derivation algorithm when conditions are present.

RemediationAI

Upgrade OpenFGA to version v1.13.1 or later immediately (see https://github.com/openfga/openfga/releases/tag/v1.13.1). The upstream fix is available via commit 049b50ccd2cc7e163bd897f3d17a7b859ad146f8. For organizations unable to patch immediately, disable caching in OpenFGA configuration if operationally feasible, or restrict network access to the OpenFGA service to trusted internal systems only to limit the attacker surface for crafting sequential permission-check probes. Validate that deployed versions are v1.13.1 or later by checking release tags and commit hashes in production environments.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

CVE-2026-33729 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy