Caching Vulnerability in OpenFGA Authorization Engine by OpenFGA
CVE-2026-33729

5.8MEDIUM

Key Information:

Vendor

Openfga

Status
Openfga
Vendor
CVE Published:
27 March 2026

What is CVE-2026-33729?

An issue in the OpenFGA authorization engine allows for the potential reuse of cached results across different check requests when caching is enabled and certain conditions are met. This may lead to incorrect authorization decisions, especially in models that rely on condition evaluations. The problem arises when two distinct requests generate the same cache key, leading to potential security concerns. OpenFGA version 1.13.1 has been released to address this vulnerability and enhance system security.

Affected Version(s)

openfga < 1.13.1

References

https://github.com/openfga/openfga/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/openfga/openfga/commit/049b50ccd2cc7e1...
x_refsource_MISC
https://github.com/openfga/openfga/releases/tag/v1.13.1
x_refsource_MISC

CVSS V4

Score:
5.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.