GHSA-h6c8-cww8-35hf

Suggest an improvement
Source
https://github.com/advisories/GHSA-h6c8-cww8-35hf
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-h6c8-cww8-35hf/GHSA-h6c8-cww8-35hf.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-h6c8-cww8-35hf
Aliases
Downstream
Related
Published
2026-03-26T17:21:50Z
Modified
2026-03-27T21:50:01.693909Z
Severity
  • 5.8 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H CVSS Calculator
Summary
OpenFGA has an Authorization Bypass through cached keys
Details

Description

In OpenFGA, under specific conditions, models using conditions with caching enabled can result in two different check requests producing the same cache key. This can result in OpenFGA reusing an earlier cached result for a different request.

Am I Affected?

Users are affected if the following preconditions are met: 1. The model has relations which rely on condition evaluation. 1. Caching is enabled.

Fix

Upgrade to OpenFGA v1.13.1.

Acknowledgement

OpenFGA would like to thank @Amemoyoi for the discovery and responsible disclosure.

Database specific 
{
    "severity": "MODERATE",
    "nvd_published_at": "2026-03-27T01:16:20Z",
    "github_reviewed_at": "2026-03-26T17:21:50Z",
    "cwe_ids": [
        "CWE-1289",
        "CWE-20",
        "CWE-345"
    ],
    "github_reviewed": true
}
References

Affected packages

Go / github.com/openfga/openfga

Package

Name
github.com/openfga/openfga
View open source insights on deps.dev
Purl
pkg:golang/github.com/openfga/openfga

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.13.1

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-h6c8-cww8-35hf/GHSA-h6c8-cww8-35hf.json"