Description
OpenFGA is an authorization/permission engine built for developers. Prior to version 1.14.1, in specific scenarios, models using conditions with caching enabled can result in two different check requests producing the same cache key. This could result in OpenFGA reusing an earlier cached result for a subsequent request. The preconditions for vulnerability are the model having relations which rely on condition evaluation and the user having caching enabled. OpenFGA v1.14.1 contains a fix.
Published: 2026-04-21
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access via cached policy result
Action: Patch
AI Analysis

Impact

OpenFGA, an authorization engine, can incorrectly enforce policies when conditions are used in models with caching enabled. The flaw allows a single cache key to be reused for distinct check requests, causing OpenFGA to return an earlier cached result instead of evaluating the new request. This improper policy enforcement can expose a user to a state that the model should not allow, thereby potentially granting unauthorized permissions. The vulnerability is classified as CWE-639, CWE-706 and CWE-863, reflecting a misuse of authorization logic and a failure to check authorization properly.

Affected Systems

The affected product is OpenFGA (the openfga project). Versions prior to 1.14.1 are vulnerable, including all releases from the project's initial release up to 1.14.0. OpenFGA v1.14.1 and later contain the fix and are considered secure.

Risk and Exploitability

The CVSS score of 5 indicates medium severity, and the EPSS score is 0.0004, indicating a low but non‑zero exploit probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires that the model has conditions that influence authorization decisions and that the caching feature is enabled. An attacker must submit two check requests that generate an identical cache key but would normally produce different results. While the exact attack vector is not exhaustively detailed, it can be inferred that the attacker only needs the ability to craft requests to a target OpenFGA instance. The moderate CVSS score suggests exploitation is feasible but not trivial, and the lack of a readily available workaround means that only an updated version mitigates the risk. The overall risk is medium, with the potential to allow unintended access when caching is misused.

Generated by OpenCVE AI on April 29, 2026 at 01:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OpenFGA to version 1.14.1 or later to apply the vendor fix.
  • Disable caching for any models that contain conditional relations until the update is applied, if such functionality is available.
  • Implement monitoring for repeated cache keys or unintended permission gains to detect potential exploitation before patch deployment.

Generated by OpenCVE AI on April 29, 2026 at 01:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-57j5-qwp2-vqp6 OpenFGA has Improper Policy Enforcement
History

Tue, 28 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-639
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 24 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Openfga helm Charts
CPEs cpe:2.3:a:openfga:helm_charts:*:*:*:*:*:openfga:*:*
cpe:2.3:a:openfga:openfga:*:*:*:*:*:*:*:*
Vendors & Products Openfga helm Charts

Wed, 22 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Openfga
Openfga openfga
Vendors & Products Openfga
Openfga openfga

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description OpenFGA is an authorization/permission engine built for developers. Prior to version 1.14.1, in specific scenarios, models using conditions with caching enabled can result in two different check requests producing the same cache key. This could result in OpenFGA reusing an earlier cached result for a subsequent request. The preconditions for vulnerability are the model having relations which rely on condition evaluation and the user having caching enabled. OpenFGA v1.14.1 contains a fix.
Title OpenFGA has Improper Policy Enforcement
Weaknesses CWE-706
CWE-863
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Openfga Helm Charts Openfga
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T18:14:31.408Z

Reserved: 2026-04-17T12:59:15.737Z

Link: CVE-2026-41131

cve-icon Vulnrichment

Updated: 2026-04-22T18:14:26.263Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T00:16:29.013

Modified: 2026-04-24T13:44:37.287

Link: CVE-2026-41131

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-21T23:38:29Z

Links: CVE-2026-41131 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T02:00:27Z

Weaknesses