CVE-2026-34972

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. From 1.8.0 to 1.13.1, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in improper policy enforcement. This vulnerability is fixed in 1.14.0.

CVSS v3 5.0 MEDIUM

5.0^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.6 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/openfga/openfga/security/advisories/GHSA-jwvj-g8pc-cx45	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:openfga:helm_charts::::::openfga::*
	cpe:2.3:a:openfga:openfga::::::::

History

20 Apr 2026, 16:55

Type	Values Removed	Values Added
CPE		cpe:2.3:a:openfga:openfga:::::::: cpe:2.3:a:openfga:helm_charts::::::openfga::*
First Time		Openfga helm Charts Openfga Openfga openfga
References	~~() https://github.com/openfga/openfga/security/advisories/GHSA-jwvj-g8pc-cx45 -~~	() https://github.com/openfga/openfga/security/advisories/GHSA-jwvj-g8pc-cx45 - Vendor Advisory

06 Apr 2026, 21:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-06 21:16

Updated : 2026-04-20 16:55

NVD link : CVE-2026-34972

Mitre link : CVE-2026-34972

CVE.ORG link : CVE-2026-34972

JSON object : View

Products Affected

openfga

openfga
helm_charts

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2026-34972", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.0, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 1.6}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2026-04-06T21:16:19.997", "references": [{"url": "https://github.com/openfga/openfga/security/advisories/GHSA-jwvj-g8pc-cx45", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. From 1.8.0 to 1.13.1, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in improper policy enforcement. This vulnerability is fixed in 1.14.0."}], "lastModified": "2026-04-20T16:55:51.030", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openfga:helm_charts:*:*:*:*:*:openfga:*:*", "vulnerable": true, "matchCriteriaId": "EABAAAEF-53E1-4ED5-9680-9748EF76A60A", "versionEndExcluding": "0.2.62", "versionStartIncluding": "0.2.16"}, {"criteria": "cpe:2.3:a:openfga:openfga:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9D29D1A0-093C-4775-9409-BED9C6D4CE7E", "versionEndExcluding": "1.14.0", "versionStartIncluding": "1.8.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}