Skip to main content

OpenFGA CVE-2026-41131

| EUVDEUVD-2026-24573 MEDIUM
Use of Incorrectly-Resolved Name or Reference (CWE-706)
2026-04-22 security-advisories@github.com GHSA-57j5-qwp2-vqp6
5.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.0 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Red Hat
5.0 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

6
Patch released
Apr 24, 2026 - 13:44 nvd
Patch available
Patch available
Apr 22, 2026 - 21:02 EUVD
Analysis Generated
Apr 22, 2026 - 00:59 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 00:22 euvd
EUVD-2026-24573
Analysis Generated
Apr 22, 2026 - 00:22 vuln.today
CVE Published
Apr 22, 2026 - 00:16 nvd
MEDIUM 5.0

DescriptionGitHub Advisory

OpenFGA is an authorization/permission engine built for developers. Prior to version 1.14.1, in specific scenarios, models using conditions with caching enabled can result in two different check requests producing the same cache key. This could result in OpenFGA reusing an earlier cached result for a subsequent request. The preconditions for vulnerability are the model having relations which rely on condition evaluation and the user having caching enabled. OpenFGA v1.14.1 contains a fix.

AnalysisAI

OpenFGA versions prior to 1.14.1 suffer from a cache key collision vulnerability in conditional authorization models that enables attackers to obtain unauthorized access to resources by forcing reuse of cached authorization decisions. When conditions are evaluated with caching enabled, different check requests can generate identical cache keys, causing OpenFGA to incorrectly return a previously cached authorization result for a subsequent request with different parameters. This affects deployments using relational models with condition evaluation where caching is active, allowing authenticated users to bypass intended access controls and disclose information about resources they should not access.

Technical ContextAI

OpenFGA is a Zanzibar-inspired authorization engine that uses relation-based access control (ReBAC) models. The vulnerability stems from insufficient cache key generation in the condition evaluation subsystem (CWE-706: Use of Incorrectly-Resolved Name or Reference). When a model includes conditions that modify authorization logic, the cache implementation fails to account for all parameters that should uniquely identify a check request. This results in hash collisions where two semantically different authorization checks produce identical cache keys. The affected code path involves the interaction between the relation evaluation engine and the caching layer when processing conditional relations, allowing an authenticated user to craft sequential requests that exploit the collision to retrieve cached results from unrelated authorization contexts.

RemediationAI

Upgrade OpenFGA to version 1.14.1 or later, which contains the fix for cache key collision in conditional models. This is the primary mitigation. For organizations unable to immediately patch, disable caching at the application level via configuration settings (specific cache-related flags in OpenFGA config; consult the project documentation for exact parameter names), though this will degrade authorization check performance and should be considered temporary only. Alternatively, remove or simplify condition-based relations in authorization models until patched, reverting to simpler relation structures without conditional logic. This preserves caching benefits but reduces authorization expressiveness. Review access logs for evidence of cache-based authorization bypass attempts (identical check results with different parameters in short timeframes). Organizations should prioritize patching as the fix is straightforward and available; disabling caching or redesigning models imposes operational costs without addressing the root cause.

Vendor StatusVendor

Share

CVE-2026-41131 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy