OpenFGA, an authorization engine, can incorrectly enforce policies when conditions are used in models with caching enabled. The flaw allows a single cache key to be reused for distinct check requests, causing OpenFGA to return an earlier cached result instead of evaluating the new request. This improper policy enforcement can expose a user to a state that the model should not allow, thereby potentially granting unauthorized permissions. The vulnerability is classified as CWE-706 and CWE-863, reflecting a misuse of authorization logic and a failure to check authorization properly.

The affected product is OpenFGA (the openfga project). Versions prior to 1.14.1 are vulnerable, including all releases from the project's initial release up to 1.14.0. OpenFGA v1.14.1 and later contain the fix and are considered secure.

The CVSS score of 5 indicates medium severity, and the EPSS score is not publicly available. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires that the model has conditions that influence authorization decisions and that the caching feature is enabled. An attacker must submit two check requests that generate an identical cache key but would normally produce different results. While the exact attack vector is not exhaustively detailed, it can be inferred that the attacker only needs the ability to craft requests to a target OpenFGA instance. The moderate CVSS score suggests exploitation is feasible but not trivial, and the lack of a readily available workaround means that only an updated version mitigates the risk. The overall risk is medium, with the potential to allow unintended access when caching is misused.