CVE-2026-48096

Published: Jun 10, 2026Modified: Jun 12, 2026

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

OpenFGA is an authorization/permission engine built for developers. Prior to version 1.16.0, when iterator caching is enabled, two distinct check requests can produce the same cache key, leading to OpenFGA reusing an earlier cached result for a subsequent request. This issue has been patched in version 1.16.0.

Affected (2)

Products: Openfga: Helm Charts, Openfga

2 products

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Openfga Helm Charts	Before 0.3.5
Openfga Openfga	Before 1.16.0

Related CWEs

Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

References (2)

https://github.com/openfga/openfga/releases/tag/v1.16.0

Source: security-advisories@github.com

ProductRelease Notes

https://github.com/openfga/openfga/security/advisories/GHSA-8396-jffm-qx4w

Source: security-advisories@github.com

Vendor Advisory

Timeline

No history available yet.