Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionGitHub Advisory
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. From 1.8.0 to 1.13.1, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in improper policy enforcement. This vulnerability is fixed in 1.14.0.
AnalysisAI
BatchCheck API calls in OpenFGA 1.8.0 through 1.13.1 can bypass authorization policies when multiple permission checks target the same object, relation, and user combination, allowing authenticated attackers with limited privileges to gain unauthorized access to protected resources. The vulnerability stems from improper handling of duplicate check parameters in batch operations and is fixed in version 1.14.0.
Technical ContextAI
OpenFGA is an authorization engine implementing a Zanzibar-inspired relationship-based access control (ReBAC) model. The vulnerability exists in the BatchCheck operation, which allows multiple authorization decisions to be evaluated in a single request. The root cause is classified under CWE-863 (Incorrect Authorization), indicating a flaw in the access control decision logic when processing batched requests with duplicate check parameters. When the same object-relation-user tuple appears multiple times within a single BatchCheck call, the authorization engine fails to properly enforce the defined policies, potentially returning incorrect permission decisions. This affects the core permission evaluation path in OpenFGA's authorization framework, which is critical infrastructure for applications delegating access control decisions to the platform.
RemediationAI
Vendor-released patch: OpenFGA 1.14.0 or later. Organizations using affected versions 1.8.0 through 1.13.1 must upgrade immediately to 1.14.0 or a later stable release to resolve the BatchCheck authorization bypass. No temporary workaround that avoids the vulnerability has been identified; immediate patching is the only remediation. Security advisory details are available at https://github.com/openfga/openfga/security/advisories/GHSA-jwvj-g8pc-cx45, which should be reviewed for comprehensive mitigation guidance and confirmation of fix applicability to your deployment.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19486
GHSA-jwvj-g8pc-cx45