Suse
CVE-2026-33729
MEDIUM
Severity by source
Sources disagree (Medium–Critical)CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
Description
In OpenFGA, under specific conditions, models using conditions with caching enabled can result in two different check requests producing the same cache key. This can result in OpenFGA reusing an earlier cached result for a different request.
Am I Affected?
Users are affected if the following preconditions are met:
- The model has relations which rely on condition evaluation.
- Caching is enabled.
Fix
Upgrade to OpenFGA v1.13.1.
Acknowledgement
OpenFGA would like to thank @Amemoyoi for the discovery and responsible disclosure.
AnalysisAI
OpenFGA's condition-based caching mechanism can generate identical cache keys for different authorization check requests, allowing attackers to bypass access controls by triggering cache reuse of previously evaluated decisions. This affects deployments with relations that evaluate conditions and have caching enabled. Organizations should upgrade to OpenFGA v1.13.1 to remediate the cache poisoning vulnerability.
Technical ContextAI
OpenFGA is an open-source fine-grained authorization system written in Go (pkg:go/github.com_openfga_openfga). The vulnerability stems from inadequate cache key generation in the condition evaluation subsystem, classified under CWE-20 (Improper Input Validation). When models incorporate relation conditions-complex authorization logic that evaluates contextual constraints-the caching layer fails to differentiate between semantically distinct permission checks, creating cache collisions. An attacker positioned to issue sequential authorization requests can exploit this deterministic cache key collision to retrieve cached authorization results from prior requests with different contexts, effectively bypassing intended permission boundaries. The root cause is insufficient entropy or scope isolation in the cache key derivation algorithm when conditions are present.
RemediationAI
Upgrade OpenFGA to version v1.13.1 or later immediately (see https://github.com/openfga/openfga/releases/tag/v1.13.1). The upstream fix is available via commit 049b50ccd2cc7e163bd897f3d17a7b859ad146f8. For organizations unable to patch immediately, disable caching in OpenFGA configuration if operationally feasible, or restrict network access to the OpenFGA service to trusted internal systems only to limit the attacker surface for crafting sequential permission-check probes. Validate that deployed versions are v1.13.1 or later by checking release tags and commit hashes in production environments.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Critical| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today