CVE
CVE-2026-33729
OpenFGA has an Authorization Bypass through cached keys
Description
In OpenFGA, under specific conditions, models using conditions with caching enabled can result in two different check requests producing the same cache key. This can result in OpenFGA reusing an earlier cached result for a different request.
Am I Affected?
Users are affected if the following preconditions are met:
- The model has relations which rely on condition evaluation.
- Caching is enabled.
Fix
Upgrade to OpenFGA v1.13.1.
Acknowledgement
OpenFGA would like to thank @Amemoyoi for the discovery and responsible disclosure.
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
5.8
-
4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
-
Related Resources
No items found.
References
https://github.com/openfga/openfga/security/advisories/GHSA-h6c8-cww8-35hf, https://nvd.nist.gov/vuln/detail/CVE-2026-33729, https://github.com/openfga/openfga/commit/049b50ccd2cc7e163bd897f3d17a7b859ad146f8, https://github.com/openfga/openfga, https://github.com/openfga/openfga/releases/tag/v1.13.1
Basic Information
Ecosystem
