Skip to main content

Openfga

21 CVEs product

Monthly

CVE-2026-48096 Go MEDIUM PATCH GHSA This Month

Cache key collision in OpenFGA's iterator caching mechanism allows two distinct authorization check requests to resolve to the same cache key, causing the engine to return a stale, incorrect authorization result to a subsequent requester. All OpenFGA deployments prior to version 1.16.0 with iterator caching enabled are affected, specifically when using the experimental weighted_graph_check union resolution path. An authenticated attacker who can trigger authorization checks under conditions that produce a colliding cache key may receive an incorrect allow or deny decision, undermining the integrity and confidentiality of access control enforced by the engine. No public exploit identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Openfga Red Hat
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-40293 Go MEDIUM PATCH This Month

OpenFGA 0.1.4 through 1.13.1 discloses preshared API authentication keys in plaintext HTML responses from the unauthenticated /playground endpoint when configured with preshared-key authentication. Remote attackers on accessible networks can retrieve credentials without authentication, compromising authorization service security. The vulnerability requires non-default configuration (preshared auth enabled, playground accessible beyond localhost), limiting but not eliminating real-world risk.

Information Disclosure Openfga
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-24851 Go HIGH PATCH This Week

Improper policy enforcement in OpenFGA versions 1.8.5 through 1.11.2 (and corresponding Helm Chart and Docker releases) allows authenticated users to bypass authorization checks through specially crafted tuple configurations that mix type-bound public and non-public access policies. An attacker with valid credentials can exploit mismatched tuple assignments to gain unauthorized access to protected resources by leveraging lexicographic object ID ordering in the authorization engine. No patch is currently available.

Docker Openfga Helm Charts Red Hat Suse
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-64751 Go MEDIUM PATCH This Month

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Docker Google Authentication Bypass Helm Charts Openfga +1
NVD GitHub
CVSS 4.0
5.8
EPSS
0.1%
CVE-2025-55213 Go MEDIUM PATCH This Month

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Authentication Bypass Docker Google Helm Charts Openfga +1
NVD GitHub
CVSS 4.0
5.8
EPSS
0.1%
CVE-2025-48371 Go MEDIUM PATCH This Month

OpenFGA is an authorization/permission engine. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Docker Helm Charts Openfga Suse
NVD GitHub
CVSS 4.0
5.8
EPSS
0.1%
CVE-2025-46331 Go MEDIUM PATCH This Month

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, low attack complexity.

Google Authentication Bypass Docker Helm Charts Openfga +1
NVD GitHub
CVSS 4.0
5.8
EPSS
0.3%
CVE-2025-25196 Go MEDIUM PATCH This Month

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, low attack complexity.

Google Authentication Bypass Docker Helm Charts Openfga +1
NVD GitHub
CVSS 4.0
5.8
EPSS
0.3%
CVE-2024-56323 Go MEDIUM PATCH This Month

OpenFGA is an authorization/permission engine. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, low attack complexity.

Docker Authentication Bypass Helm Charts Openfga Suse
NVD GitHub
CVSS 4.0
5.8
EPSS
0.1%
CVE-2024-42473 Go CRITICAL PATCH Act Now

OpenFGA is an authorization/permission engine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Openfga
NVD GitHub
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-31452 Go CRITICAL PATCH Act Now

OpenFGA is a high-performance and flexible authorization/permission engine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Authentication Bypass Openfga
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-23820 Go MEDIUM PATCH This Month

OpenFGA, an authorization/permission engine, is vulnerable to a denial of service attack in versions prior to 1.4.3. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service Openfga
NVD GitHub
CVSS 3.1
6.5
EPSS
0.7%
CVE-2023-45810 Go HIGH PATCH This Week

OpenFGA is a flexible authorization/permission engine built for developers and inspired by Google Zanzibar. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Google Openfga
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2023-43645 Go MEDIUM PATCH This Month

OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Denial Of Service Google Openfga
NVD GitHub
CVSS 3.1
5.9
EPSS
0.8%
CVE-2023-40579 Go MEDIUM PATCH This Month

OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Google Authentication Bypass Openfga
NVD GitHub
CVSS 3.1
6.5
EPSS
0.5%
CVE-2023-35933 Go HIGH POC PATCH This Week

OPenFGA is an open source authorization/permission engine built for developers. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Openfga
NVD GitHub
CVSS 3.1
7.5
EPSS
1.1%
CVE-2022-23542 Go CRITICAL PATCH Act Now

OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Google Openfga
NVD GitHub
CVSS 3.1
9.8
EPSS
0.9%
CVE-2022-39352 Go CRITICAL PATCH Act Now

OpenFGA is a high-performance authorization/permission engine inspired by Google Zanzibar. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Google Openfga
NVD GitHub
CVSS 3.1
9.8
EPSS
0.4%
CVE-2022-39342 Go CRITICAL PATCH Act Now

OpenFGA is an authorization/permission engine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Openfga
NVD GitHub
CVSS 3.1
9.8
EPSS
0.9%
CVE-2022-39341 Go CRITICAL PATCH Act Now

OpenFGA is an authorization/permission engine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Openfga
NVD GitHub
CVSS 3.1
9.8
EPSS
0.9%
CVE-2022-39340 Go MEDIUM PATCH This Month

OpenFGA is an authorization/permission engine. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Openfga
NVD GitHub
CVSS 3.1
5.3
EPSS
0.7%
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Cache key collision in OpenFGA's iterator caching mechanism allows two distinct authorization check requests to resolve to the same cache key, causing the engine to return a stale, incorrect authorization result to a subsequent requester. All OpenFGA deployments prior to version 1.16.0 with iterator caching enabled are affected, specifically when using the experimental weighted_graph_check union resolution path. An authenticated attacker who can trigger authorization checks under conditions that produce a colliding cache key may receive an incorrect allow or deny decision, undermining the integrity and confidentiality of access control enforced by the engine. No public exploit identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Openfga Red Hat
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

OpenFGA 0.1.4 through 1.13.1 discloses preshared API authentication keys in plaintext HTML responses from the unauthenticated /playground endpoint when configured with preshared-key authentication. Remote attackers on accessible networks can retrieve credentials without authentication, compromising authorization service security. The vulnerability requires non-default configuration (preshared auth enabled, playground accessible beyond localhost), limiting but not eliminating real-world risk.

Information Disclosure Openfga
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Improper policy enforcement in OpenFGA versions 1.8.5 through 1.11.2 (and corresponding Helm Chart and Docker releases) allows authenticated users to bypass authorization checks through specially crafted tuple configurations that mix type-bound public and non-public access policies. An attacker with valid credentials can exploit mismatched tuple assignments to gain unauthorized access to protected resources by leveraging lexicographic object ID ordering in the authorization engine. No patch is currently available.

Docker Openfga Helm Charts +2
NVD GitHub
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Docker Google Authentication Bypass +3
NVD GitHub
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Authentication Bypass Docker Google +3
NVD GitHub
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

OpenFGA is an authorization/permission engine. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Docker Helm Charts +2
NVD GitHub
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, low attack complexity.

Google Authentication Bypass Docker +3
NVD GitHub
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, low attack complexity.

Google Authentication Bypass Docker +3
NVD GitHub
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

OpenFGA is an authorization/permission engine. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, low attack complexity.

Docker Authentication Bypass Helm Charts +2
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

OpenFGA is an authorization/permission engine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Openfga
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

OpenFGA is a high-performance and flexible authorization/permission engine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Authentication Bypass Openfga
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

OpenFGA, an authorization/permission engine, is vulnerable to a denial of service attack in versions prior to 1.4.3. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service Openfga
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

OpenFGA is a flexible authorization/permission engine built for developers and inspired by Google Zanzibar. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Google Openfga
NVD GitHub
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Denial Of Service Google Openfga
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Google Authentication Bypass Openfga
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

OPenFGA is an open source authorization/permission engine built for developers. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Openfga
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Google Openfga
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

OpenFGA is a high-performance authorization/permission engine inspired by Google Zanzibar. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Google Openfga
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

OpenFGA is an authorization/permission engine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Openfga
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

OpenFGA is an authorization/permission engine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Openfga
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

OpenFGA is an authorization/permission engine. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Openfga
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy