CVE-2026-33729

EPSS 0.01%
Veröffentlicht 27.03.2026 00:27:40
Zuletzt bearbeitet 14.04.2026 01:04:41
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. In versions prior to 1.13.1, under specific conditions, models using conditions with caching enabled can result in two different check requests producing the same cache key. This can result in OpenFGA reusing an earlier cached result for a different request. Users are affected if the model has relations which rely on condition evaluation andncaching is enabled. OpenFGA v1.13.1 contains a patch.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 3 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Openfga ≫ Openfga Version < 1.13.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.022

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	5.8	0	0	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-1289 Improper Validation of Unsafe Equivalence in Input

The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value.

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-345 Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

https://github.com/openfga/openfga/security/advisories/GHSA-h6c8-cww8-35hf

Vendor Advisory

https://github.com/openfga/openfga/commit/049b50ccd2cc7e163bd897f3d17a7b859ad146f8

Patch

https://github.com/openfga/openfga/releases/tag/v1.13.1

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2026-33729

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-33729

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-33729

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-33729