Skip to main content

Google CVE-2026-34972

| EUVDEUVD-2026-19486 MEDIUM
Incorrect Authorization (CWE-863)
2026-04-06 GitHub_M GHSA-jwvj-g8pc-cx45
5.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.0 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Red Hat
4.2 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Patch released
Apr 07, 2026 - 20:30 nvd
Patch available
EUVD ID Assigned
Apr 06, 2026 - 21:00 euvd
EUVD-2026-19486
Analysis Generated
Apr 06, 2026 - 21:00 vuln.today
CVE Published
Apr 06, 2026 - 20:41 nvd
MEDIUM 5.0

DescriptionGitHub Advisory

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. From 1.8.0 to 1.13.1, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in improper policy enforcement. This vulnerability is fixed in 1.14.0.

AnalysisAI

BatchCheck API calls in OpenFGA 1.8.0 through 1.13.1 can bypass authorization policies when multiple permission checks target the same object, relation, and user combination, allowing authenticated attackers with limited privileges to gain unauthorized access to protected resources. The vulnerability stems from improper handling of duplicate check parameters in batch operations and is fixed in version 1.14.0.

Technical ContextAI

OpenFGA is an authorization engine implementing a Zanzibar-inspired relationship-based access control (ReBAC) model. The vulnerability exists in the BatchCheck operation, which allows multiple authorization decisions to be evaluated in a single request. The root cause is classified under CWE-863 (Incorrect Authorization), indicating a flaw in the access control decision logic when processing batched requests with duplicate check parameters. When the same object-relation-user tuple appears multiple times within a single BatchCheck call, the authorization engine fails to properly enforce the defined policies, potentially returning incorrect permission decisions. This affects the core permission evaluation path in OpenFGA's authorization framework, which is critical infrastructure for applications delegating access control decisions to the platform.

RemediationAI

Vendor-released patch: OpenFGA 1.14.0 or later. Organizations using affected versions 1.8.0 through 1.13.1 must upgrade immediately to 1.14.0 or a later stable release to resolve the BatchCheck authorization bypass. No temporary workaround that avoids the vulnerability has been identified; immediate patching is the only remediation. Security advisory details are available at https://github.com/openfga/openfga/security/advisories/GHSA-jwvj-g8pc-cx45, which should be reviewed for comprehensive mitigation guidance and confirmation of fix applicability to your deployment.

Vendor StatusVendor

Share

CVE-2026-34972 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy