Description
OpenFGA is an authorization/permission engine built for developers. Prior to version 1.16.0, when iterator caching is enabled, two distinct check requests can produce the same cache key, leading to OpenFGA reusing an earlier cached result for a subsequent request. This issue has been patched in version 1.16.0.
Published: 2026-06-10
Score: 5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cache‑key delimiter injection in OpenFGA’s iterator caches allows two distinct authorization check requests to produce the same cache key. As a result, a previously cached decision is reused for a new request, enabling an attacker to poison the cache and obtain unauthorized access within the same store. This results in an authorization bypass that can compromise the confidentiality and integrity of protected resources, corresponding to CWE‑345 and CWE‑668 weaknesses.

Affected Systems

All OpenFGA installations (openfga/openfga) running versions prior to 1.16.0 that have iterator caching enabled are affected. The vendor released a patch in v1.16.0 that removes the cache-key collision issue.

Risk and Exploitability

The CVSS score of 5.0 indicates moderate severity. EPSS is not available, and the vulnerability is not listed in CISA KEV. The exploit requires an attacker to send crafted authorization queries to an OpenFGA instance with iterator caching enabled, implying that the risk is primarily confined to systems where the service is publicly accessible and caching is used. Although no active exploits are known, the possibility of unauthorized access remains if the patch is not applied. The likely attack vector is remote, via crafted authorization requests.

Generated by OpenCVE AI on June 10, 2026 at 17:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenFGA to version 1.16.0 or later to remove the cache‑key collision vulnerability.
  • If an immediate upgrade is not possible, temporarily disable iterator caching in OpenFGA to prevent cache poisoning until a patch is applied.
  • Ensure that cache key delimiters are sanitized and unique, or reconfigure the caching strategy to enforce proper key construction, mitigating cache‑collision weaknesses.

Generated by OpenCVE AI on June 10, 2026 at 17:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Openfga
Openfga openfga
Vendors & Products Openfga
Openfga openfga

Wed, 10 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description OpenFGA is an authorization/permission engine built for developers. Prior to version 1.16.0, when iterator caching is enabled, two distinct check requests can produce the same cache key, leading to OpenFGA reusing an earlier cached result for a subsequent request. This issue has been patched in version 1.16.0.
Title OpenFGA: Cache-key delimiter injection in openfga/openfga shared-iterator and v2 iterator caches enables intra-store authorization-decision poisoning
Weaknesses CWE-345
CWE-668
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Openfga Openfga
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T19:41:18.553Z

Reserved: 2026-05-20T18:40:45.834Z

Link: CVE-2026-48096

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T16:17:09.397

Modified: 2026-06-10T16:17:09.397

Link: CVE-2026-48096

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T17:30:36Z

Weaknesses