CVE-2026-41131
Received Received - Intake
Cache Key Collision Vulnerability in OpenFGA Authorization Engine

Publication date: 2026-04-22

Last updated on: 2026-04-24

Assigner: GitHub, Inc.

Description
OpenFGA is an authorization/permission engine built for developers. Prior to version 1.14.1, in specific scenarios, models using conditions with caching enabled can result in two different check requests producing the same cache key. This could result in OpenFGA reusing an earlier cached result for a subsequent request. The preconditions for vulnerability are the model having relations which rely on condition evaluation and the user having caching enabled. OpenFGA v1.14.1 contains a fix.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-24
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41131
EUVD
EUVD-2026-24573
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
openfga openfga to 1.14.1 (exc)
openfga helm_charts to 0.3.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-706 The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects OpenFGA, an authorization and permission engine. Before version 1.14.1, when models used conditions with caching enabled, two different check requests could produce the same cache key. This means OpenFGA might reuse a cached result from an earlier request for a different subsequent request, potentially leading to incorrect authorization decisions.

The issue occurs only if the model has relations that rely on condition evaluation and caching is enabled by the user. The problem was fixed in OpenFGA version 1.14.1.

Impact Analysis

This vulnerability can impact you by causing OpenFGA to return incorrect authorization results due to cache reuse. Specifically, a permission check might incorrectly allow or deny access because it used a cached response from a different request.

Such incorrect authorization decisions can lead to unauthorized access or denial of legitimate access, potentially compromising the security and functionality of applications relying on OpenFGA for permission management.

Mitigation Strategies

To mitigate this vulnerability, upgrade OpenFGA to version 1.14.1 or later, as this version contains the fix addressing the caching issue.

Additionally, review your models to identify if they use relations relying on condition evaluation with caching enabled, as these are the preconditions for the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41131. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart