OpenFGA has an Authorization Bypass through cached keys

Description

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. In versions prior to 1.13.1, under specific conditions, models using conditions with caching enabled can result in two different check requests producing the same cache key. This can result in OpenFGA reusing an earlier cached result for a different request. Users are affected if the model has relations which rely on condition evaluation andncaching is enabled. OpenFGA v1.13.1 contains a patch.

Affected Products

Vendor	Product	Versions
openfga	openfga	< 1.13.1, 1.13.0

References

https://github.com/openfga/openfga/security/advisories/GHSA-h6c8-cww8-35hf(x_refsource_CONFIRM)
https://github.com/openfga/openfga/commit/049b50ccd2cc7e163bd897f3d17a7b859ad146f8(x_refsource_MISC)
https://github.com/openfga/openfga/releases/tag/v1.13.1(x_refsource_MISC)

Related News (1 articles)

Tier C

VulDB5h ago

CVE-2026-33729 | OpenFGA up to 1.13.0 permission (GHSA-h6c8-cww8-35hf)

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-20, CWE-345, CWE-1289

Published3/27/2026

Last enriched3h agov3

Trending Score49

Source articles1

Independent1

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Version History

Last enriched 3h ago

v3Tier C3h ago

Updated affected versions to include 1.13.0 and noted that no exploit is available.

affectedVersions

via VulDB

v2Tier C5h ago

Updated severity to CRITICAL, marked as actively exploited, and noted that patch version is 1.13.1.

severityactivelyExploitedpatchAvailable

via VulDB

v19h ago

Initial creation