{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34972", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-31T19:38:31.616Z", "datePublished": "2026-04-06T20:41:33.414Z", "dateUpdated": "2026-04-06T20:41:33.414Z"}, "containers": {"cna": {"title": "OpenFGA's BatchCheck within-request deduplication produces incorrect authorization decisions via list-value cache-key collision", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/openfga/openfga/security/advisories/GHSA-jwvj-g8pc-cx45", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openfga/openfga/security/advisories/GHSA-jwvj-g8pc-cx45"}], "affected": [{"vendor": "openfga", "product": "openfga", "versions": [{"version": ">= 1.8.0, < 1.14.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T20:41:33.414Z"}, "descriptions": [{"lang": "en", "value": "OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. From 1.8.0 to 1.13.1, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in improper policy enforcement. This vulnerability is fixed in 1.14.0."}], "source": {"advisory": "GHSA-jwvj-g8pc-cx45", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. From 1.8.0 to 1.13.1, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in improper policy enforcement. This vulnerability is fixed in 1.14.0."}], "id": "CVE-2026-34972", "lastModified": "2026-04-06T21:16:19.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T21:16:19.997", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/openfga/openfga/security/advisories/GHSA-jwvj-g8pc-cx45"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.8.0,1.14.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openfga", "source": "cna", "vendor": "openfga"}, "product": "openfga", "vendor": "openfga"}], "analysis": {"en": {"generated_at": "2026-04-07T01:35:29.420030+00:00", "value": {"mitigation_remediation": ["Upgrade OpenFGA to version 1.14.0 or later."], "summary": {"action": "Immediate Patch", "impact": "Authorization Bypass"}, "threat_synthesis": {"affected_systems": "Affected versions are OpenFGA 1.8.0 through 1.13.1. The issue is fixed in 1.14.0. Users deploying these versions of the authorization engine are at risk when they use BatchCheck with multiple requests for the same object, relation, and user combinations.", "description_and_impact": "OpenFGA\u2019s BatchCheck feature contains a flaw where internal deduplication can misidentify duplicate checks due to a list-value cache-key collision. This results in incorrect authorization decisions, allowing or denying access contrary to the defined policy. The vulnerability falls under CWE\u2011863, highlighting incomplete enforcement of the least\u2011privilege principle.", "risk_and_exploitability": "With a CVSS score of 5, the vulnerability is considered medium severity. The lack of an EPSS score and KEV listing suggests a lower likelihood of mass exploitation, yet the potential for privilege escalation remains. Attackers can craft BatchCheck requests that trigger the cache-key collision, leading to unauthorized access. Organizations should treat this as a critical patching priority."}}}}, "created": "2026-04-07T06:54:10.601299+00:00", "updated": "2026-04-07T09:37:11.136399+00:00", "vendors": ["openfga", "openfga$PRODUCT$openfga"]}