{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34972", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-31T19:38:31.616Z", "datePublished": "2026-04-06T20:41:33.414Z", "dateUpdated": "2026-04-07T14:01:23.508Z"}, "containers": {"cna": {"title": "OpenFGA's BatchCheck within-request deduplication produces incorrect authorization decisions via list-value cache-key collision", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/openfga/openfga/security/advisories/GHSA-jwvj-g8pc-cx45", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openfga/openfga/security/advisories/GHSA-jwvj-g8pc-cx45"}], "affected": [{"vendor": "openfga", "product": "openfga", "versions": [{"version": ">= 1.8.0, < 1.14.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T20:41:33.414Z"}, "descriptions": [{"lang": "en", "value": "OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. From 1.8.0 to 1.13.1, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in improper policy enforcement. This vulnerability is fixed in 1.14.0."}], "source": {"advisory": "GHSA-jwvj-g8pc-cx45", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T14:01:13.438567Z", "id": "CVE-2026-34972", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T14:01:23.508Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34972", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-07T14:01:13.438567Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T14:01:18.314Z"}}], "cna": {"title": "OpenFGA's BatchCheck within-request deduplication produces incorrect authorization decisions via list-value cache-key collision", "source": {"advisory": "GHSA-jwvj-g8pc-cx45", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "openfga", "product": "openfga", "versions": [{"status": "affected", "version": ">= 1.8.0, < 1.14.0"}]}], "references": [{"url": "https://github.com/openfga/openfga/security/advisories/GHSA-jwvj-g8pc-cx45", "name": "https://github.com/openfga/openfga/security/advisories/GHSA-jwvj-g8pc-cx45", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. From 1.8.0 to 1.13.1, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in improper policy enforcement. This vulnerability is fixed in 1.14.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T20:41:33.414Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34972", "state": "PUBLISHED", "dateUpdated": "2026-04-07T14:01:23.508Z", "dateReserved": "2026-03-31T19:38:31.616Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T20:41:33.414Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openfga:helm_charts:*:*:*:*:*:openfga:*:*", "matchCriteriaId": "EABAAAEF-53E1-4ED5-9680-9748EF76A60A", "versionEndExcluding": "0.2.62", "versionStartIncluding": "0.2.16", "vulnerable": true}, {"criteria": "cpe:2.3:a:openfga:openfga:*:*:*:*:*:*:*:*", "matchCriteriaId": "9D29D1A0-093C-4775-9409-BED9C6D4CE7E", "versionEndExcluding": "1.14.0", "versionStartIncluding": "1.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. From 1.8.0 to 1.13.1, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in improper policy enforcement. This vulnerability is fixed in 1.14.0."}], "id": "CVE-2026-34972", "lastModified": "2026-04-20T16:55:51.030", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-06T21:16:19.997", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/openfga/openfga/security/advisories/GHSA-jwvj-g8pc-cx45"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "github.com/openfga/openfga: OpenFGA: Improper policy enforcement via specific BatchCheck calls", "id": "2455611", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455611"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.2", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-639", "details": ["A flaw was found in OpenFGA, a high-performance authorization engine. Under specific conditions, a user making BatchCheck calls with multiple checks for the same object, relation, and user combination can trigger improper policy enforcement. This can lead to incorrect authorization decisions, potentially allowing unauthorized access to resources or actions."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-34972", "package_state": [{"cpe": "cpe:/a:redhat:multicluster_globalhub", "fix_state": "Not affected", "package_name": "redhat-user-workloads/glo-grafana-globalhub-1-7", "product_name": "Multicluster Global Hub"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "redhat-user-workloads/grafana-acm-214", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "redhat-user-workloads/grafana-acm-215", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/grafana-acm-216", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:6", "fix_state": "Fix deferred", "package_name": "rhceph-ci/grafana", "product_name": "Red Hat Ceph Storage 6"}], "public_date": "2026-04-06T20:41:33Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-34972\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34972\nhttps://github.com/openfga/openfga/security/advisories/GHSA-jwvj-g8pc-cx45"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.8.0,1.14.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openfga", "source": "cna", "vendor": "openfga"}, "product": "openfga", "vendor": "openfga"}], "analysis": {"en": {"generated_at": "2026-04-07T19:55:50.542176+00:00", "value": {"mitigation_remediation": ["Upgrade OpenFGA to version 1.14.0 or later to apply the fix", "Verify that the deployment is running the updated version and that the BatchCheck endpoint is correctly handling requests", "Monitor logs for anomalous authorization responses that may indicate residual or new permission issues", "If upgrading is delayed, consider enforcing stricter request validation or segregating critical checks outside of BatchCheck until the update is applied"], "summary": {"action": "Patch", "impact": "Incorrect Authorization Decisions"}, "threat_synthesis": {"affected_systems": "The vulnerability affects OpenFGA Engine versions 1.8.0 through 1.13.1. Production deployments using any of these releases are at risk until the application is upgraded to version 1.14.0 or later, which contains the remediation.", "description_and_impact": "OpenFGA's BatchCheck performs deduplication of authorization checks inside a single request. Under specific circumstances related to list\u2011value cache\u2011key collisions, the deduplication can incorrectly merge checks, causing the engine to return a permissive policy outcome for a context that should be denied. The result is improper enforcement of access control, allowing a user that should not have access to be granted it, thereby compromising confidentiality and integrity of protected resources.", "risk_and_exploitability": "The CVSS score of 5.0 indicates a moderate level of severity, while the EPSS score of less than 1% points to a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers would most likely trigger the issue by submitting multiple authorization checks for the same object, relation, and user within a single request, a vector that is inferred from the described cache\u2011key collision mechanism. If exploited, the attacker could gain unauthorized access to resources or functionality that should be protected."}}}}, "created": "2026-04-07T06:54:10.601299+00:00", "updated": "2026-04-08T19:50:31.578954+00:00", "vendors": ["openfga", "openfga$PRODUCT$openfga"]}