Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.8
OpenFGA data access bypassed by cache misuse
GHSA-h6c8-cww8-35hf
CVE-2026-33729
GHSA-h6c8-cww8-35hf
GO-2026-4857
Summary
OpenFGA allows unauthorized access to sensitive data when caching is enabled and certain conditions are met. This could lead to data being exposed that shouldn't be. To fix, update to OpenFGA version 1.13.1.
What to do
- Update github.com openfga to version 1.13.1.
- Update openfga github.com/openfga/openfga to version 1.13.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | openfga | <= 1.13.1 | 1.13.1 |
| openfga | github.com/openfga/openfga | <= 1.13.1 | 1.13.1 |
Original title
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. In versions prior to 1.13.1, under specific conditions, models using...
Original description
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. In versions prior to 1.13.1, under specific conditions, models using conditions with caching enabled can result in two different check requests producing the same cache key. This can result in OpenFGA reusing an earlier cached result for a different request. Users are affected if the model has relations which rely on condition evaluation andncaching is enabled. OpenFGA v1.13.1 contains a patch.
ghsa CVSS4.0
5.8
Vulnerability type
CWE-20
Improper Input Validation
CWE-345
CWE-1289
- https://github.com/openfga/openfga/security/advisories/GHSA-h6c8-cww8-35hf
- https://github.com/openfga/openfga/commit/049b50ccd2cc7e163bd897f3d17a7b859ad146...
- https://github.com/openfga/openfga/releases/tag/v1.13.1
- https://github.com/advisories/GHSA-h6c8-cww8-35hf
- https://github.com/openfga/openfga Product
Published: 27 Mar 2026 · Updated: 27 Mar 2026 · First seen: 26 Mar 2026