EUVD-2026-19486

| CVE-2026-34972 MEDIUM
2026-04-06 GitHub_M GHSA-jwvj-g8pc-cx45
5.0
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Patch Released
Apr 07, 2026 - 20:30 nvd
Patch available
Analysis Generated
Apr 06, 2026 - 21:00 vuln.today
EUVD ID Assigned
Apr 06, 2026 - 21:00 euvd
EUVD-2026-19486
CVE Published
Apr 06, 2026 - 20:41 nvd
MEDIUM 5.0

Tags

Google Authentication Bypass

Description

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. From 1.8.0 to 1.13.1, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in improper policy enforcement. This vulnerability is fixed in 1.14.0.

Analysis

BatchCheck API calls in OpenFGA 1.8.0 through 1.13.1 can bypass authorization policies when multiple permission checks target the same object, relation, and user combination, allowing authenticated attackers with limited privileges to gain unauthorized access to protected resources. The vulnerability stems from improper handling of duplicate check parameters in batch operations and is fixed in version 1.14.0.

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

25
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +25
POC: 0

Share

EUVD-2026-19486 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy