CVE-2026-33729
Cache Key Collision in OpenFGA Causes Authorization Bypass
Publication date: 2026-03-27
Last updated on: 2026-04-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openfga | openfga | to 1.13.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1289 | The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-345 | The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in OpenFGA versions prior to 1.13.1 occurs when models use conditions with caching enabled. Under specific conditions, two different authorization check requests can produce the same cache key, causing OpenFGA to reuse a cached result from a previous, different request.
This happens because the cache key generation did not properly sanitize Unicode control characters and did not encode the length of keys in the cache key, leading to collisions or incorrect cache hits.
As a result, the system might return incorrect cached authorization results, potentially allowing incorrect permission decisions.
How can this vulnerability impact me? :
The vulnerability can impact you by causing OpenFGA to return incorrect authorization decisions due to cache key collisions.
- Users relying on models with conditional relations and caching enabled may receive stale or incorrect permission checks.
- This can lead to unauthorized access if a cached positive authorization is incorrectly reused for a different request.
- Alternatively, it could cause denial of access if a cached negative result is reused improperly.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves OpenFGA models using conditions with caching enabled, where two different check requests might produce the same cache key, causing incorrect cached results to be reused.
Detection would involve monitoring OpenFGA check requests that use conditional relations with caching enabled and verifying if cached responses are being incorrectly reused for different requests.
Since the issue is specific to cache key collisions caused by Unicode control characters or structural key length encoding, detection could include examining logs or cache entries for suspicious or malformed cache keys.
However, no specific detection commands or network/system scanning commands are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade OpenFGA to version 1.13.1 or later, which contains the patch addressing this vulnerability.
This update sanitizes cache keys by stripping Unicode control characters and encodes key lengths explicitly to prevent cache key collisions and incorrect cache reuse.
Applying this update will prevent authorization errors caused by stale or incorrect cached data in conditional check requests.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability in OpenFGA could lead to incorrect authorization decisions due to reuse of cached results for different requests when conditions and caching are enabled. Such authorization errors might result in unauthorized access or denial of access to sensitive data.
Incorrect authorization behavior can impact compliance with standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information. If unauthorized users gain access or legitimate users are denied access due to stale or incorrect cache data, it could lead to violations of these regulations.
The patch in OpenFGA v1.13.1 addresses this issue by ensuring cached responses for conditional check requests are accurate, thereby helping maintain proper authorization enforcement and supporting compliance with such standards.