Authorization Engine Vulnerability in OpenFGA by OpenFGA
CVE-2026-34972

5MEDIUM

Key Information:

Vendor: Openfga
Status: Openfga
Vendor: CVE Published:; 6 April 2026

What is CVE-2026-34972?

OpenFGA, a robust authorization engine inspired by Google Zanzibar, has a flaw in versions 1.8.0 to 1.13.1 wherein specific BatchCheck calls may lead to improper policy enforcement when multiple checks are made for the same object, relation, and user combination. This flaw poses a significant risk to applications relying on accurate permissions. The issue has been rectified in version 1.14.0, urging users to upgrade to ensure secure policy management.

Affected Version(s)

openfga >= 1.8.0, < 1.14.0

References

https://github.com/openfga/openfga/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Mar 31, 2026

CVE-2026-34972 Data

JSON

Openfga

What is CVE-2026-34972?

Affected Version(s)

References

CVSS V3.1

Timeline