CVE-2026-34972
MEDIUM5.0EPSS 0.02%OpenFGA's BatchCheck within-request deduplication produces incorrect authorization decisions via list-value cache-key collision
Description
### Description In OpenFGA, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in improper policy enforcement. ### Am I affected? You are affected if you meet the following preconditions: 1. You execute **BatchCheck** operations which rely on context. 2. Multiple checks are sent within a single BatchCheck operation for the same user/object/relation combination, each containing context. 3. The contexts between those checks differ in a specific way ### Fix Upgrade to OpenFGA v1.14.0 ### Acknowledgement OpenFGA would like to thank @bugbunny-research for the discovery and detailed report.
Affected packages (1)
- Go/github.com/openfga/openfga>= 1.8.0, < 1.14.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.0 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |