CVE-2026-41131

MEDIUM

OpenFGA has Improper Policy Enforcement

Title source: cna

Description

OpenFGA is an authorization/permission engine built for developers. Prior to version 1.14.1, in specific scenarios, models using conditions with caching enabled can result in two different check requests producing the same cache key. This could result in OpenFGA reusing an earlier cached result for a subsequent request. The preconditions for vulnerability are the model having relations which rely on condition evaluation and the user having caching enabled. OpenFGA v1.14.1 contains a fix.

References (2)

[X_Refsource_Confirm] https://github.com/openfga/openfga/security/advisories/GHSA-57j5-qwp2-vqp6

[X_Refsource_Misc] https://github.com/openfga/openfga/releases/tag/v1.14.1

Scores

CVSS v3 5.0

EPSS 0.0004

EPSS Percentile 11.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-706 CWE-863

Status published

Products (3)

openfga/helm_charts < 0.3.1

openfga/openfga < 1.14.1 (2 CPE variants)

openfga/openfga 0 - 1.14.1Go

Published Apr 22, 2026

Tracked Since Apr 22, 2026