Authorization/Permission Engine Vulnerability in OpenFGA
CVE-2026-48096

5MEDIUM

Key Information:

Vendor

Openfga

Status
Vendor
CVE Published:
10 June 2026

What is CVE-2026-48096?

OpenFGA, a prominent authorization and permission management engine, is affected by a vulnerability where the iterator caching mechanism can lead to cache key collisions. Specifically, prior to version 1.16.0, certain check requests might yield identical cache keys, resulting in the reuse of previously cached results for new requests. This creates potential inconsistencies in access control decisions, which can compromise the integrity of authorization processes. Users are strongly advised to upgrade to version 1.16.0 to mitigate this issue.

Affected Version(s)

openfga < 1.16.0

References

CVSS V3.1

Score:
5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.