CVE-2026-33729

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. In versions prior to 1.13.1, under specific conditions, models using conditions with caching enabled can result in two different check requests producing the same cache key. This can result in OpenFGA reusing an earlier cached result for a different request. Users are affected if the model has relations which rely on condition evaluation andncaching is enabled. OpenFGA v1.13.1 contains a patch.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/openfga/openfga/commit/049b50ccd2cc7e163bd897f3d17a7b859ad146f8	Patch
https://github.com/openfga/openfga/releases/tag/v1.13.1	Release Notes
https://github.com/openfga/openfga/security/advisories/GHSA-h6c8-cww8-35hf	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openfga:openfga:*:*:*:*:*:*:*:*

History

14 Apr 2026, 01:04

Type	Values Removed	Values Added
First Time		Openfga Openfga openfga
CPE		cpe:2.3:a:openfga:openfga::::::::
References	~~() https://github.com/openfga/openfga/commit/049b50ccd2cc7e163bd897f3d17a7b859ad146f8 -~~	() https://github.com/openfga/openfga/commit/049b50ccd2cc7e163bd897f3d17a7b859ad146f8 - Patch
References	~~() https://github.com/openfga/openfga/releases/tag/v1.13.1 -~~	() https://github.com/openfga/openfga/releases/tag/v1.13.1 - Release Notes
References	~~() https://github.com/openfga/openfga/security/advisories/GHSA-h6c8-cww8-35hf -~~	() https://github.com/openfga/openfga/security/advisories/GHSA-h6c8-cww8-35hf - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8

30 Mar 2026, 13:26

Type	Values Removed	Values Added
Summary		(es) OpenFGA es un motor de autorización/permisos de alto rendimiento y flexible, construido para desarrolladores e inspirado en Google Zanzibar. En versiones anteriores a la 1.13.1, bajo condiciones específicas, los modelos que usan condiciones con el almacenamiento en caché habilitado pueden resultar en que dos solicitudes de verificación diferentes produzcan la misma clave de caché. Esto puede resultar en que OpenFGA reutilice un resultado previamente almacenado en caché para una solicitud diferente. Los usuarios se ven afectados si el modelo tiene relaciones que dependen de la evaluación de condiciones y el almacenamiento en caché está habilitado. OpenFGA v1.13.1 contiene un parche.

27 Mar 2026, 01:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-27 01:16

Updated : 2026-04-14 01:04

NVD link : CVE-2026-33729

Mitre link : CVE-2026-33729

CVE.ORG link : CVE-2026-33729

JSON object : View

Products Affected

openfga

openfga

CWE

CWE-20

Improper Input Validation

CWE-345

Insufficient Verification of Data Authenticity

CWE-1289

Improper Validation of Unsafe Equivalence in Input

9.8 /10