CVE-2026-34972 - Vulnerability Details

- OpenFGA's BatchCheck within-request deduplication produces incorrect authorization decisions via list-value cache-key collision

Description

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. From 1.8.0 to 1.13.1, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in improper policy enforcement. This vulnerability is fixed in 1.14.0.

Published: 2026-04-06

Score: 5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

OpenFGA's BatchCheck performs deduplication of authorization checks inside a single request. Under specific circumstances related to list‑value cache‑key collisions, the deduplication can incorrectly merge checks, causing the engine to return a permissive policy outcome for a context that should be denied. The result is improper enforcement of access control, allowing a user that should not have access to be granted it, thereby compromising confidentiality and integrity of protected resources.

Affected Systems

The vulnerability affects OpenFGA Engine versions 1.8.0 through 1.13.1. Production deployments using any of these releases are at risk until the application is upgraded to version 1.14.0 or later, which contains the remediation.

Risk and Exploitability

The CVSS score of 5.0 indicates a moderate level of severity, while the EPSS score of less than 1% points to a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers would most likely trigger the issue by submitting multiple authorization checks for the same object, relation, and user within a single request, a vector that is inferred from the described cache‑key collision mechanism. If exploited, the attacker could gain unauthorized access to resources or functionality that should be protected.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

openfga

affected

Version	Status	Constraints
`>= 1.8.0, < 1.14.0`	affected	—

No data.

Vendor Product Confidence Versions

Openfga

100%

Version	Status	Scheme	Platform
`[1.8.0,1.14.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade OpenFGA to version 1.14.0 or later to apply the fix
Verify that the deployment is running the updated version and that the BatchCheck endpoint is correctly handling requests
Monitor logs for anomalous authorization responses that may indicate residual or new permission issues
If upgrading is delayed, consider enforcing stricter request validation or segregating critical checks outside of BatchCheck until the update is applied

Generated by OpenCVE AI on April 7, 2026 at 19:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-jwvj-g8pc-cx45	OpenFGA's BatchCheck within-request deduplication produces incorrect authorization decisions via list-value cache-key collision

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00034.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/openfga/openfga/security/advisories/GHSA-jwvj-g8pc-cx45
https://nvd.nist.gov/vuln/detail/CVE-2026-34972
https://www.cve.org/CVERecord?id=CVE-2026-34972

History

Tue, 07 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-639
References		https://nvd.nist.gov/vuln/detail/CVE-2026-34972 https://www.cve.org/CVERecord?id=CVE-2026-34972
Metrics	threat_severity `None`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}` threat_severity `Moderate`

Tue, 07 Apr 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Openfga Openfga openfga
Vendors & Products		Openfga Openfga openfga

Tue, 07 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. From 1.8.0 to 1.13.1, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in improper policy enforcement. This vulnerability is fixed in 1.14.0.
Title		OpenFGA's BatchCheck within-request deduplication produces incorrect authorization decisions via list-value cache-key collision
Weaknesses		CWE-863
References		https://github.com/openfga/openfga/security/advisories/GHSA-jwvj-g8pc-cx45
Metrics		cvssV3_1 `{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L'}`

Subscriptions

Openfga Openfga

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-06T20:41:33.414Z

Updated: 2026-04-07T14:01:23.508Z

Reserved: 2026-03-31T19:38:31.616Z

Link: CVE-2026-34972

Vulnrichment

Updated: 2026-04-07T14:01:18.314Z

NVD

Status : Awaiting Analysis

Published: 2026-04-06T21:16:19.997

Modified: 2026-04-07T13:20:11.643

Link: CVE-2026-34972

Redhat

Severity : Moderate

Publid Date: 2026-04-06T20:41:33Z

Links: CVE-2026-34972 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-08T19:50:31Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object