EUVD-2026-19486

OpenFGA's BatchCheck within-request deduplication produces incorrect authorization decisions via list-value cache-key collision...

GHSA-JWVJ-G8PC-CX45 OpenFGA's BatchCheck within-request deduplication produces incorrect authorization decisions via list-value cache-key collision

Description In OpenFGA, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in improper policy enforcement. Am I affected? You are affected if you meet the following preconditions: 1. You execute BatchCheck operation...

CVE-2026-34972

A flaw was found in OpenFGA, a high-performance authorization engine. Under specific conditions, a user making BatchCheck calls with multiple checks for the same object, relation, and user combination can trigger improper policy enforcement. This can lead to incorrect authorization decisions,...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization when BatchCheck calls with multiple checks are sent for the same object, relation, and user combination. An attacker can cause incorrect authorization decisions by exploiting a cache-key collision involving list...

CVE-2026-34972

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. From 1.8.0 to 1.13.1, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in improper...

CVE-2026-34972 OpenFGA's BatchCheck within-request deduplication produces incorrect authorization decisions via list-value cache-key collision

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. From 1.8.0 to 1.13.1, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in improper...

CVE-2026-34972

OpenFGA vulnerability CVE-2026-34972 affects OpenFGA versions 1.8.0 through 1.13.1. The issue arises when BatchCheck is invoked with multiple checks for the same object, relation, and user, leading to improper policy enforcement. It is resolved in version 1.14.0. CVSS metrics indicate high impact...

CVE-2026-34972

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. From 1.8.0 to 1.13.1, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in improper...

PT-2026-30732

Name of the Vulnerable Software and Affected Versions OpenFGA versions 1.8.0 through 1.13.1 Description OpenFGA is an authorization/permission engine. BatchCheck calls with multiple checks for the same object, relation, and user can lead to improper policy enforcement under specific conditions...

OpenFGA 安全漏洞

OpenFGA is an open-source tool built for developers, inspired by Google Zanzibar. It’s a high-performance and flexible authorization/licensing engine. Versions of OpenFGA from 1.8.0 to 1.13.1 have security vulnerabilities. These vulnerabilities arise from calls to the BatchCheck function under...