Skip to main content

OpenFGA CVE-2026-48096

| EUVDEUVD-2026-36061 MEDIUM
Insufficient Verification of Data Authenticity (CWE-345)
2026-06-10 GitHub_M GHSA-8396-jffm-qx4w
5.3
CVSS 3.1 · NVD
Share

Severity by source

Vendor (GitHub_M) PRIMARY
MEDIUM
qualitative
NVD
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Red Hat
5.0 MEDIUM
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
CVSS changed
Jun 12, 2026 - 00:52 NVD
5.0 (MEDIUM) 5.3 (MEDIUM)
Patch available
Jun 10, 2026 - 17:01 EUVD
Source Code Evidence Fetched
Jun 10, 2026 - 16:41 vuln.today
Analysis Generated
Jun 10, 2026 - 16:41 vuln.today

DescriptionNVD

OpenFGA is an authorization/permission engine built for developers. Prior to version 1.16.0, when iterator caching is enabled, two distinct check requests can produce the same cache key, leading to OpenFGA reusing an earlier cached result for a subsequent request. This issue has been patched in version 1.16.0.

AnalysisAI

Cache key collision in OpenFGA's iterator caching mechanism allows two distinct authorization check requests to resolve to the same cache key, causing the engine to return a stale, incorrect authorization result to a subsequent requester. All OpenFGA deployments prior to version 1.16.0 with iterator caching enabled are affected, specifically when using the experimental weighted_graph_check union resolution path. An authenticated attacker who can trigger authorization checks under conditions that produce a colliding cache key may receive an incorrect allow or deny decision, undermining the integrity and confidentiality of access control enforced by the engine. No public exploit identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Technical ContextAI

OpenFGA (cpe:2.3:a:openfga:openfga:*:*:*:*:*:*:*:*) is an open-source authorization engine implementing the Zanzibar relationship-based access control model, widely used as a policy-enforcement backend. The vulnerability resides in the experimental weighted_graph_check resolution path, where result caching was applied at the union node level rather than the individual edge level. Because union nodes aggregate multiple edges that share structural properties across different requests (differing only in object or relation), the cache key construction was insufficiently granular, allowing two logically distinct check requests to map to the same key. This is classified under CWE-345 (Insufficient Verification of Data Authenticity): the engine trusts a cached authorization result without verifying that it was produced for the same effective request context. Additionally, a related race condition allowed in-flight goroutines cancelled by a union short-circuit to write a false result into the cache, which subsequent requests would then consume without hitting the datastore. The root fix (PR #3117) moved caching from union node to individual edge scope; PR #3125 addressed the goroutine cancellation race.

RemediationAI

Upgrade OpenFGA to version 1.16.0 or later; this is the vendor-confirmed patched release per the GitHub advisory GHSA-8396-jffm-qx4w and release notes at https://github.com/openfga/openfga/releases/tag/v1.16.0. The fix restructures cache key granularity at the individual edge level (PR #3117) and resolves the goroutine cancellation race (PR #3125), fully addressing both root causes. If an immediate upgrade is not feasible, disabling iterator caching eliminates the vulnerability surface at the cost of increased datastore query load and higher authorization check latency under concurrent request patterns. Alternatively, disabling the experimental weighted_graph_check feature and falling back to the standard check algorithm avoids the vulnerable code path without disabling caching globally, though this trades off any performance or graph-weighting benefits the experimental feature provided. Deployments not using the weighted_graph_check experimental feature are not affected and do not require emergency action beyond scheduling the standard upgrade.

CVE-2023-35933 HIGH POC
7.5 Jun 26

OPenFGA is an open source authorization/permission engine built for developers. Rated high severity (CVSS 7.5), this vul

CVE-2024-42473 CRITICAL
9.8 Aug 12

OpenFGA is an authorization/permission engine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi

CVE-2024-31452 CRITICAL
9.8 Apr 16

OpenFGA is a high-performance and flexible authorization/permission engine. Rated critical severity (CVSS 9.8), this vul

CVE-2022-23542 CRITICAL
9.8 Dec 20

OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. Rated critical sever

CVE-2022-39352 CRITICAL
9.8 Nov 08

OpenFGA is a high-performance authorization/permission engine inspired by Google Zanzibar. Rated critical severity (CVSS

CVE-2022-39342 CRITICAL
9.8 Oct 25

OpenFGA is an authorization/permission engine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi

CVE-2022-39341 CRITICAL
9.8 Oct 25

OpenFGA is an authorization/permission engine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi

CVE-2026-24851 HIGH
8.8 Feb 06

Improper policy enforcement in OpenFGA versions 1.8.5 through 1.11.2 (and corresponding Helm Chart and Docker releases)

CVE-2023-45810 HIGH
7.5 Oct 17

OpenFGA is a flexible authorization/permission engine built for developers and inspired by Google Zanzibar. Rated high s

CVE-2026-40293 MEDIUM
6.5 Apr 17

OpenFGA 0.1.4 through 1.13.1 discloses preshared API authentication keys in plaintext HTML responses from the unauthenti

CVE-2024-23820 MEDIUM
6.5 Jan 26

OpenFGA, an authorization/permission engine, is vulnerable to a denial of service attack in versions prior to 1.4.3. Rat

CVE-2023-40579 MEDIUM
6.5 Aug 25

OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. Rated medium severit

Vendor StatusVendor

Share

CVE-2026-48096 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy