CVE-2026-34972

MEDIUM

OpenFGA's BatchCheck within-request deduplication produces incorrect authorization decisions via list-value cache-key collision

Title source: cna

Description

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. From 1.8.0 to 1.13.1, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in improper policy enforcement. This vulnerability is fixed in 1.14.0.

References (1)

[X_Refsource_Confirm] https://github.com/openfga/openfga/security/advisories/GHSA-jwvj-g8pc-cx45

Scores

CVSS v3 5.0

EPSS 0.0002

EPSS Percentile 3.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (4)

openfga/helm_charts 0.2.16 - 0.2.62

openfga/openfga 1.8.0 - 1.14.0Go

openfga/openfga 1.8.0 - 1.14.0

openfga/openfga >= 1.8.0, < 1.14.0

Published Apr 06, 2026

Tracked Since Apr 07, 2026