CVE-2026-34972
OpenFGA's BatchCheck within-request deduplication produces incorrect authorization decisions via list-value cache-key collision
CVSS Score
5.0
EPSS Score
0.0%
EPSS Percentile
10th
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. From 1.8.0 to 1.13.1, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in improper policy enforcement. This vulnerability is fixed in 1.14.0.
| CWE | CWE-863 |
| Vendor | openfga |
| Product | openfga |
| Published | Apr 6, 2026 |
| Last Updated | Apr 7, 2026 |
Stay Ahead of the Next One
Get instant alerts for openfga openfga
Be the first to know when new medium vulnerabilities affecting openfga openfga are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low
Affected Versions
openfga / openfga
>= 1.8.0, < 1.14.0