OpenFGA, Improper Policy Enforcement, CVE-2026-34972 (MEDIUM)

Listen to this Post

How the CVE Works

OpenFGA v1.8.0 through v1.13.1 contains an incorrect authorization flaw within its `BatchCheck` API. This flaw arises from how the system deduplicates multiple check requests inside a single call. The `BatchCheck` feature is designed to evaluate several authorization queries at once, which is more efficient than calling `Check` individually. To boost performance, OpenFGA uses an in-memory, per-request cache to avoid re-evaluating identical checks. However, a flaw in the cache key generation logic causes a dangerous collision.
Specifically, when a `BatchCheck` call contains multiple checks for the same object, relation, and user combination, the system builds a cache key for each. The key is a hash of the request context, which includes elements like the store ID, model ID, tuple key, and the correlation ID for each check. The vulnerability occurs when the system treats the list of values used for key generation as a simple concatenated string. This means the order of elements in a list, or the specific arrangement of key-value pairs, is not fully considered in the key.
An attacker can send a single `BatchCheck` request with two different contexts for the same user/object/relation. The deduplication logic then incorrectly determines that these two different checks are the same. It proceeds to evaluate only the first check and uses its cached authorization decision for the second, completely different check. The system returns the result of the first check to the second request, bypassing the correct policy for that second context. This is a classic example of authorization bypass, as it allows a request to receive a result that was not intended for it. The vulnerability is fixed by improving the cache key generation to properly account for the structure and order of data within the request, ensuring each unique request context yields a unique key. The issue was patched in OpenFGA v1.14.0 by correcting this `list-value cache-key collision` problem.

DailyCVE Form

Platform: OpenFGA
Version: 1.8.0 to 1.13.1
Vulnerability: Improper Policy Enforcement
Severity: MEDIUM (CVSS 5.0)
Date: 2026-04-06

Prediction: Patched v1.14.0 (2026-04-06)

What Undercode Say

Analytics can be performed to detect exploitation attempts. A key indicator is anomalous `BatchCheck` usage. Use the following command to search for logs with multiple checks in one request where the correlation IDs differ but the check parameters are identical. Another indicator is a sudden spike in `BatchCheck` calls, as an attacker might try to brute-force the caching mechanism. You can also monitor OpenFGA’s internal cache metrics for an unusually high number of cache hits for checks that should be unique.

Search for BatchCheck requests with potential duplicate cache keys
grep "BatchCheck" /var/log/openfga/audit.log | jq 'select(.checks | length > 1) | .checks[].correlation_id, .checks[].tuple_key'
// Example of a vulnerable BatchCheck call (simplified)
type BatchCheckRequest struct {
CorrelationID string
TupleKey TupleKey
Context Context
}
// If two requests have the same TupleKey but different Context,
// they would incorrectly receive the same cached result.

Exploit

To exploit this vulnerability, an attacker needs low-privileged access to the OpenFGA API. The attacker would craft a single `BatchCheck` request that includes two checks for the same user, object, and relation, but with different contexts. The contexts must differ in a way that the cache key generation algorithm fails to distinguish them. When the engine processes the request, it will evaluate the first check, cache the result, and then for the second check, it will incorrectly return the cached result from the first check. This allows the attacker to receive an authorization decision intended for a different context, effectively bypassing the correct policy.

Example cURL exploit (conceptual)
curl -X POST https://openfga.example.com/v1/stores/{store_id}/batch-check \
-H "Content-Type: application/json" \
-d '{
"checks": [
{
"correlation_id": "1",
"tuple_key": { "object": "doc:1", "relation": "viewer", "user": "user:1" },
"context": { "attribute": "value1" }
},
{
"correlation_id": "2",
"tuple_key": { "object": "doc:1", "relation": "viewer", "user": "user:1" },
"context": { "attribute": "value2" }
}
]
}'

Protection from this CVE

The primary and only official fix is to upgrade to OpenFGA v1.14.0 or later. This version includes a corrected cache key generation algorithm that properly differentiates between distinct request contexts. If an immediate upgrade is not possible, as a temporary workaround, you can disable caching for models that use context-sensitive conditions. This can be done by setting the `OPENFGA_CHECK_QUERY_CACHE_ENABLED` environment variable to false. However, this will impact performance and is not a permanent solution. Additionally, review your audit logs for any anomalous `BatchCheck` patterns, such as a high volume of requests with the same user/object/relation but varying contexts.

Impact

This vulnerability allows an attacker with low privileges to bypass authorization policies. The impact is primarily on the confidentiality and integrity of the protected data. An attacker could gain unauthorized access to resources they should not be able to view or modify. The CVSS score is 5.0 (Medium), with the following vector: AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L. The attack complexity is high because the attacker needs to understand the specific conditions that cause the cache key collision. The vulnerability does not lead to a full system compromise, privilege escalation, or denial of service; it is a targeted bypass of specific access rules. The potential damage is limited to the resources protected by the vulnerable `BatchCheck` calls.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top