CVE-2026-33729
Received Received - Intake
Cache Key Collision in OpenFGA Causes Authorization Bypass

Publication date: 2026-03-27

Last updated on: 2026-04-14

Assigner: GitHub, Inc.

Description
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. In versions prior to 1.13.1, under specific conditions, models using conditions with caching enabled can result in two different check requests producing the same cache key. This can result in OpenFGA reusing an earlier cached result for a different request. Users are affected if the model has relations which rely on condition evaluation andncaching is enabled. OpenFGA v1.13.1 contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33729
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openfga openfga to 1.13.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-1289 The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in OpenFGA versions prior to 1.13.1 occurs when models use conditions with caching enabled. Under specific conditions, two different authorization check requests can produce the same cache key, causing OpenFGA to reuse a cached result from a previous, different request.

This happens because the cache key generation did not properly sanitize Unicode control characters and did not encode the length of keys in the cache key, leading to collisions or incorrect cache hits.

As a result, the system might return incorrect cached authorization results, potentially allowing incorrect permission decisions.

Impact Analysis

The vulnerability can impact you by causing OpenFGA to return incorrect authorization decisions due to cache key collisions.

  • Users relying on models with conditional relations and caching enabled may receive stale or incorrect permission checks.
  • This can lead to unauthorized access if a cached positive authorization is incorrectly reused for a different request.
  • Alternatively, it could cause denial of access if a cached negative result is reused improperly.
Detection Guidance

This vulnerability involves OpenFGA models using conditions with caching enabled, where two different check requests might produce the same cache key, causing incorrect cached results to be reused.

Detection would involve monitoring OpenFGA check requests that use conditional relations with caching enabled and verifying if cached responses are being incorrectly reused for different requests.

Since the issue is specific to cache key collisions caused by Unicode control characters or structural key length encoding, detection could include examining logs or cache entries for suspicious or malformed cache keys.

However, no specific detection commands or network/system scanning commands are provided in the available resources.

Mitigation Strategies

The immediate mitigation step is to upgrade OpenFGA to version 1.13.1 or later, which contains the patch addressing this vulnerability.

This update sanitizes cache keys by stripping Unicode control characters and encodes key lengths explicitly to prevent cache key collisions and incorrect cache reuse.

Applying this update will prevent authorization errors caused by stale or incorrect cached data in conditional check requests.

Compliance Impact

This vulnerability in OpenFGA could lead to incorrect authorization decisions due to reuse of cached results for different requests when conditions and caching are enabled. Such authorization errors might result in unauthorized access or denial of access to sensitive data.

Incorrect authorization behavior can impact compliance with standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information. If unauthorized users gain access or legitimate users are denied access due to stale or incorrect cache data, it could lead to violations of these regulations.

The patch in OpenFGA v1.13.1 addresses this issue by ensuring cached responses for conditional check requests are accurate, thereby helping maintain proper authorization enforcement and supporting compliance with such standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33729. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart