GHSA-HCXC-WF8J-23HV OpenFGA: OIDC audience validation skipped when --authn-oidc-audience is unset

Description OpenFGA's OIDC authenticator skipped JWT audience aud validation when no audience was configured. In deployments where one identity provider issues tokens for multiple services, a token minted for an unrelated service could authenticate to OpenFGA. Preconditions This applies if the...

GHSA-CF98-J28V-49V6 OpenFGA Improper Policy Enforcement

Description In OpenFGA, when MySQL is being used as the datastore, two distinct check requests can return the same response. Preconditions This applies if the following preconditions are met: 1. You run OpenFGA with MySQL as the datastore 2. Your authorization decisions rely on case-sensitive use...

CVE-2026-48096

A flaw was found in OpenFGA, an authorization/permission engine. When iterator caching is enabled, distinct authorization check requests can generate identical cache keys. This can cause OpenFGA to reuse an outdated or incorrect cached result for subsequent requests. Such a flaw may lead to...

Linux Distros Unpatched Vulnerability : CVE-2026-48096

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - OpenFGA is an authorization/permission engine built for developers. Prior to version 1.16.0, when iterator caching is enabled, two distinct check requests can...

GHSA-8396-JFFM-QX4W OpenFGA has cache-key delimiter injection in shared-iterator and v2 iterator that caches enables intra-store authorization-decision poisoning

Description In OpenFGA, when iterator caching is enabled, two distinct check requests can produce the same cache key, leading to OpenFGA reusing an earlier cached result for a subsequent request. Preconditions This applies if the following preconditions are present: - FGA runs with...

EUVD-2026-36061

OpenFGA has cache-key delimiter injection in shared-iterator and v2 iterator that caches enables intra-store authorization-decision poisoning...

OpenFGA has cache-key delimiter injection in shared-iterator and v2 iterator that caches enables intra-store authorization-decision poisoning

Description In OpenFGA, when iterator caching is enabled, two distinct check requests can produce the same cache key, leading to OpenFGA reusing an earlier cached result for a subsequent request. Preconditions This applies if the following preconditions are present: - FGA runs with...

CVE-2026-48096

OpenFGA is an authorization/permission engine built for developers. Prior to version 1.16.0, when iterator caching is enabled, two distinct check requests can produce the same cache key, leading to OpenFGA reusing an earlier cached result for a subsequent request. This issue has been patched in...

CVE-2026-48096 OpenFGA: Cache-key delimiter injection in openfga/openfga shared-iterator and v2 iterator caches enables intra-store authorization-decision poisoning

OpenFGA is an authorization/permission engine built for developers. Prior to version 1.16.0, when iterator caching is enabled, two distinct check requests can produce the same cache key, leading to OpenFGA reusing an earlier cached result for a subsequent request. This issue has been patched in...

CVE-2026-48096 OpenFGA: Cache-key delimiter injection in openfga/openfga shared-iterator and v2 iterator caches enables intra-store authorization-decision poisoning

OpenFGA is an authorization/permission engine built for developers. Prior to version 1.16.0, when iterator caching is enabled, two distinct check requests can produce the same cache key, leading to OpenFGA reusing an earlier cached result for a subsequent request. This issue has been patched in...

CVE-2026-48096

OpenFGA: The CVE affects the OpenFGA authorization engine prior to v1.16.0 due to an issue with iterator caching where two distinct check requests could produce the same cache key, causing reuse of an earlier cached result. The root cause is described as a cache-key issue in the shared-iterator a...

OpenFGA 数据伪造问题漏洞

OpenFGA is an open-source authorization/licensing engine built for developers, inspired by Google Zanzibar. Versions of OpenFGA prior to 1.16.0 had a data manipulation vulnerability. This vulnerability arises from the possibility that two different check requests may generate the same cache key...

PT-2026-48462

Name of the Vulnerable Software and Affected Versions OpenFGA versions prior to 1.16.0 Description When iterator caching is enabled, specifically with SharedIteratorCache and ListObjectsIteratorCache, two distinct check requests can produce the same cache key. This causes the system to reuse a...

CVE-2026-41889 vulnerabilities

Vulnerabilities for packages: authentik, openfga-fips, temporal-fips, dapr-fips, spire-server, amass, gitaly-fips, wal-g, gitlab-cng-fips, openbao, seaweedfs, dapr, seaweedfs-rocksdb-fips, sqlexporter-fips, falcosidekick, caddy, chainloop-control-plane-fips, hydra, azure-service-operator-fips,...

a10-octavia (>=1.0.0 <=2.2.0), gadgetfinder (>=0.0.1 <=1.0.0) +3 more potentially affected by CVE-2026-43001 via keystone (>=15.0.1 <=29.0.1)

keystone PYPI version =15.0.1, =1.0.0, =0.0.1, =0.1.0, =0.1.0, =1.12.0 Source cves: CVE-2026-43001 Source advisory: SNYK:PYTHON-KEYSTONE-16479530...

CVE-2026-41131

A flaw was found in OpenFGA, an authorization and permission engine. When certain authorization models use conditions with caching enabled, the system can incorrectly generate the same cache key for different requests. This error causes OpenFGA to reuse an outdated authorization decision,...

GHSA-J88V-2CHJ-QFWX vulnerabilities

Vulnerabilities for packages: authentik, openfga-fips, temporal-fips, dapr-fips, spire-server, amass, gitaly-fips, wal-g, gitlab-cng-fips, openbao, seaweedfs, dapr, seaweedfs-rocksdb-fips, sqlexporter-fips, falcosidekick, caddy, chainloop-control-plane-fips, hydra, azure-service-operator-fips,...

GHSA-57J5-QWP2-VQP6 OpenFGA has Improper Policy Enforcement

Description In OpenFGA, in specific scenarios, models using conditions with caching enabled can result in two different check requests producing the same cache key. This could result in OpenFGA reusing an earlier cached result for a subsequent request. Am I Affected? Users are affected if their...

EUVD-2026-24573

OpenFGA has Improper Policy Enforcement...

OpenFGA has Improper Policy Enforcement

Description In OpenFGA, in specific scenarios, models using conditions with caching enabled can result in two different check requests producing the same cache key. This could result in OpenFGA reusing an earlier cached result for a subsequent request. Am I Affected? Users are affected if their...