CVE-2026-34972
Improper Policy Enforcement in OpenFGA BatchCheck Calls
Publication date: 2026-04-06
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openfga | helm_charts | From 0.2.16 (inc) to 0.2.62 (exc) |
| openfga | openfga | From 1.8.0 (inc) to 1.14.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in OpenFGA versions 1.8.0 to 1.13.1. Under specific conditions, when BatchCheck calls include multiple checks for the same object, relation, and user combination, it can lead to improper policy enforcement. Essentially, the authorization engine may not correctly enforce permissions, potentially allowing unauthorized access or actions.
How can this vulnerability impact me? :
The impact of this vulnerability is that it can cause improper enforcement of authorization policies. This means that users might gain access to resources or perform actions they are not permitted to, leading to potential data exposure, unauthorized modifications, or other security breaches.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade OpenFGA to version 1.14.0 or later, where the issue is fixed.