CVE-2026-48096 — OpenFGA has cache-key delimiter injection in shared-iterator and v2 iterator tha

Description

### Description In OpenFGA, when iterator caching is enabled, two distinct check requests can produce the same cache key, leading to OpenFGA reusing an earlier cached result for a subsequent request. ### Preconditions This applies if the following preconditions are present: - FGA runs with SharedIteratorCache enabled, - FGA runs with ListObjectsIteratorCache enabled. ### Fix Upgrade to version 1.16.0 or greater. ### Acknowledgements OpenFGA would like to thank @j4xT for the discovery and the detailed report.

How to fix CVE-2026-48096

To remediate CVE-2026-48096, upgrade the affected package to a fixed version below.

—upgrade to 1.16.0 or later

Is CVE-2026-48096 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-48096.

Affected packages (1)

from 0, < 1.16.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.0	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-48096
PATCHgithub.com/openfga/openfga
WEBgithub.com/openfga/openfga/releases/tag/v1.16.0
WEBgithub.com/openfga/openfga/security/advisories/GHSA-8396-jffm-qx4w