5.3
CVE-2026-48096
- EPSS 0.1%
- Veröffentlicht 10.06.2026 15:09:59
- Zuletzt bearbeitet 12.06.2026 00:46:45
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
OpenFGA: Cache-key delimiter injection in openfga/openfga shared-iterator and v2 iterator caches enables intra-store authorization-decision poisoning
OpenFGA is an authorization/permission engine built for developers. Prior to version 1.16.0, when iterator caching is enabled, two distinct check requests can produce the same cache key, leading to OpenFGA reusing an earlier cached result for a subsequent request. This issue has been patched in version 1.16.0.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Openfga ≫ Helm Charts SwPlatformopenfga Version < 0.3.5
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.1% | 0.011 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
|
| security-advisories@github.com | 5 | 1.6 | 3.4 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
|
CWE-345 Insufficient Verification of Data Authenticity
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
CWE-668 Exposure of Resource to Wrong Sphere
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
https://github.com/openfga/openfga/security/advisories/GHSA-8396-jffm-qx4w
https://github.com/openfga/openfga/releases/tag/v1.16.0