CVE-2026-48096

MEDIUM 5.0

OpenFGA: Cache-key delimiter injection in openfga/openfga shared-iterator and v2 iterator caches enables intra-store authorization-decision poisoning

CVSS Score

5.0

EPSS Score

0.0%

EPSS Percentile

0th

OpenFGA is an authorization/permission engine built for developers. Prior to version 1.16.0, when iterator caching is enabled, two distinct check requests can produce the same cache key, leading to OpenFGA reusing an earlier cached result for a subsequent request. This issue has been patched in version 1.16.0.

CWE	CWE-345 CWE-668
Vendor	openfga
Product	openfga
Published	Jun 10, 2026

Stay Ahead of the Next One

Get instant alerts for openfga openfga

Be the first to know when new medium vulnerabilities affecting openfga openfga are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Affected Versions

openfga / openfga

< 1.16.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/openfga/openfga/security/advisories/GHSA-8396-jffm-qx4w github.com: https://github.com/openfga/openfga/releases/tag/v1.16.0