CVE-2026-34972

Published: Apr 6, 2026Modified: Apr 20, 2026

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. From 1.8.0 to 1.13.1, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in improper policy enforcement. This vulnerability is fixed in 1.14.0.

Affected (2)

Products: Openfga: Helm Charts, Openfga

2 products

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Openfga Helm Charts	From 0.2.16 to 0.2.62
Openfga Openfga	From 1.8.0 to 1.14.0

Related CWEs

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (1)

https://github.com/openfga/openfga/security/advisories/GHSA-jwvj-g8pc-cx45

Source: security-advisories@github.com

Vendor Advisory

Timeline

No history available yet.