CVE-2026-33729

OpenFGA has an Authorization Bypass through cached keys

CVSS 5.8 MEDIUMEPSS 0.2%CWE-1289 CWE-20 CWE-345

In short

OpenFGA's caching system can incorrectly reuse cached authorization results for different requests when conditions are involved, allowing an attacker to bypass access controls by triggering the same cache key for a different user or permission check.

Technical detail

In OpenFGA versions before 1.13.1, models using condition evaluation with caching enabled generate identical cache keys for distinct authorization requests, leading to authorization bypass. The vulnerability requires conditions to be present in relations and caching to be active; an attacker exploits this by crafting requests that collide with cached results from prior checks with different authorization contexts.

Summary generated and translated by AI from the official description.

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. In versions prior to 1.13.1, under specific conditions, models using conditions with caching enabled can result in two different check requests producing the same cache key. This can result in OpenFGA reusing an earlier cached result for a different request. Users are affected if the model has relations which rely on condition evaluation andncaching is enabled. OpenFGA v1.13.1 contains a patch.

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H

Affected products

openfga · openfga

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/openfga/openfga/commit/049b50ccd2cc7e163bd897f3d17a7b859ad146f8 https://github.com/openfga/openfga/releases/tag/v1.13.1 https://github.com/openfga/openfga/security/advisories/GHSA-h6c8-cww8-35hf