Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
6DescriptionGitHub Advisory
OpenFGA is an authorization/permission engine built for developers. Prior to version 1.14.1, in specific scenarios, models using conditions with caching enabled can result in two different check requests producing the same cache key. This could result in OpenFGA reusing an earlier cached result for a subsequent request. The preconditions for vulnerability are the model having relations which rely on condition evaluation and the user having caching enabled. OpenFGA v1.14.1 contains a fix.
AnalysisAI
OpenFGA versions prior to 1.14.1 suffer from a cache key collision vulnerability in conditional authorization models that enables attackers to obtain unauthorized access to resources by forcing reuse of cached authorization decisions. When conditions are evaluated with caching enabled, different check requests can generate identical cache keys, causing OpenFGA to incorrectly return a previously cached authorization result for a subsequent request with different parameters. This affects deployments using relational models with condition evaluation where caching is active, allowing authenticated users to bypass intended access controls and disclose information about resources they should not access.
Technical ContextAI
OpenFGA is a Zanzibar-inspired authorization engine that uses relation-based access control (ReBAC) models. The vulnerability stems from insufficient cache key generation in the condition evaluation subsystem (CWE-706: Use of Incorrectly-Resolved Name or Reference). When a model includes conditions that modify authorization logic, the cache implementation fails to account for all parameters that should uniquely identify a check request. This results in hash collisions where two semantically different authorization checks produce identical cache keys. The affected code path involves the interaction between the relation evaluation engine and the caching layer when processing conditional relations, allowing an authenticated user to craft sequential requests that exploit the collision to retrieve cached results from unrelated authorization contexts.
RemediationAI
Upgrade OpenFGA to version 1.14.1 or later, which contains the fix for cache key collision in conditional models. This is the primary mitigation. For organizations unable to immediately patch, disable caching at the application level via configuration settings (specific cache-related flags in OpenFGA config; consult the project documentation for exact parameter names), though this will degrade authorization check performance and should be considered temporary only. Alternatively, remove or simplify condition-based relations in authorization models until patched, reverting to simpler relation structures without conditional logic. This preserves caching benefits but reduces authorization expressiveness. Review access logs for evidence of cache-based authorization bypass attempts (identical check results with different parameters in short timeframes). Organizations should prioritize patching as the fix is straightforward and available; disabling caching or redesigning models imposes operational costs without addressing the root cause.
Same technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24573
GHSA-57j5-qwp2-vqp6