Description
OpenFGA is an authorization/permission engine built for developers. Prior to version 1.16.0, when iterator caching is enabled, two distinct check requests can produce the same cache key, leading to OpenFGA reusing an earlier cached result for a subsequent request. This issue has been patched in version 1.16.0.
Published: 2026-06-10
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cache‑key delimiter injection in OpenFGA’s iterator caches allows two distinct authorization check requests to produce the same cache key. As a result, a previously cached decision is reused for a new request, enabling an attacker to poison the cache and obtain unauthorized access within the same store. This results in an authorization bypass that can compromise the confidentiality and integrity of protected resources, corresponding to CWE‑345, CWE‑639, and CWE‑668 weaknesses.

Affected Systems

All OpenFGA installations (openfga/openfga) running versions prior to 1.16.0 that have iterator caching enabled are affected. The vendor released a patch in v1.16.0 that removes the cache-key collision issue.

Risk and Exploitability

The CVSS score of 5.0 indicates moderate severity. EPSS score < 1% indicates a low probability of exploitation, and the vulnerability is not listed in CISA KEV. The exploit requires an attacker to send crafted authorization queries to an OpenFGA instance with iterator caching enabled, implying that the risk is primarily confined to systems where the service is publicly accessible and caching is used. Although no active exploits are known, the possibility of unauthorized access remains if the patch is not applied. The likely attack vector is remote, via crafted authorization requests.

Generated by OpenCVE AI on June 15, 2026 at 13:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenFGA to version 1.16.0 or later to remove the cache‑key collision vulnerability.
  • If an immediate upgrade is not possible, temporarily disable iterator caching in OpenFGA to prevent cache poisoning until a patch is applied.
  • Ensure that cache key delimiters are sanitized and unique, or reconfigure the caching strategy to enforce proper key construction, mitigating cache‑collision weaknesses.

Generated by OpenCVE AI on June 15, 2026 at 13:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8396-jffm-qx4w OpenFGA has cache-key delimiter injection in shared-iterator and v2 iterator that caches enables intra-store authorization-decision poisoning
History

Mon, 15 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-639
References
Metrics threat_severity

None

threat_severity

Moderate


Fri, 12 Jun 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Openfga helm Charts
CPEs cpe:2.3:a:openfga:helm_charts:*:*:*:*:*:openfga:*:*
cpe:2.3:a:openfga:openfga:*:*:*:*:*:*:*:*
Vendors & Products Openfga helm Charts

Wed, 10 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 10 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Openfga
Openfga openfga
Vendors & Products Openfga
Openfga openfga

Wed, 10 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description OpenFGA is an authorization/permission engine built for developers. Prior to version 1.16.0, when iterator caching is enabled, two distinct check requests can produce the same cache key, leading to OpenFGA reusing an earlier cached result for a subsequent request. This issue has been patched in version 1.16.0.
Title OpenFGA: Cache-key delimiter injection in openfga/openfga shared-iterator and v2 iterator caches enables intra-store authorization-decision poisoning
Weaknesses CWE-345
CWE-668
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L'}


Subscriptions

Openfga Helm Charts Openfga
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T19:41:18.553Z

Reserved: 2026-05-20T18:40:45.834Z

Link: CVE-2026-48096

cve-icon Vulnrichment

Updated: 2026-06-10T19:41:06.339Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-10T16:17:09.397

Modified: 2026-06-12T00:46:45.620

Link: CVE-2026-48096

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-10T15:09:59Z

Links: CVE-2026-48096 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-15T14:00:12Z

Weaknesses
  • CWE-345

    Insufficient Verification of Data Authenticity

  • CWE-639

    Authorization Bypass Through User-Controlled Key

  • CWE-668

    Exposure of Resource to Wrong Sphere