{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41131", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-17T12:59:15.737Z", "datePublished": "2026-04-21T23:38:29.955Z", "dateUpdated": "2026-04-21T23:38:29.955Z"}, "containers": {"cna": {"title": "OpenFGA has Improper Policy Enforcement", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-706", "lang": "en", "description": "CWE-706: Use of Incorrectly-Resolved Name or Reference", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/openfga/openfga/security/advisories/GHSA-57j5-qwp2-vqp6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openfga/openfga/security/advisories/GHSA-57j5-qwp2-vqp6"}, {"name": "https://github.com/openfga/openfga/releases/tag/v1.14.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/openfga/openfga/releases/tag/v1.14.1"}], "affected": [{"vendor": "openfga", "product": "openfga", "versions": [{"version": "< 1.14.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T23:38:29.955Z"}, "descriptions": [{"lang": "en", "value": "OpenFGA is an authorization/permission engine built for developers. Prior to version 1.14.1, in specific scenarios, models using conditions with caching enabled can result in two different check requests producing the same cache key. This could result in OpenFGA reusing an earlier cached result for a subsequent request. The preconditions for vulnerability are the model having relations which rely on condition evaluation and the user having caching enabled. OpenFGA v1.14.1 contains a fix."}], "source": {"advisory": "GHSA-57j5-qwp2-vqp6", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OpenFGA is an authorization/permission engine built for developers. Prior to version 1.14.1, in specific scenarios, models using conditions with caching enabled can result in two different check requests producing the same cache key. This could result in OpenFGA reusing an earlier cached result for a subsequent request. The preconditions for vulnerability are the model having relations which rely on condition evaluation and the user having caching enabled. OpenFGA v1.14.1 contains a fix."}], "id": "CVE-2026-41131", "lastModified": "2026-04-22T00:16:29.013", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-22T00:16:29.013", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/openfga/openfga/releases/tag/v1.14.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/openfga/openfga/security/advisories/GHSA-57j5-qwp2-vqp6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-706"}, {"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.14.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openfga", "source": "cna", "vendor": "openfga"}, "product": "openfga", "vendor": "openfga"}], "analysis": {"en": {"generated_at": "2026-04-22T06:09:24.816320+00:00", "value": {"mitigation_remediation": ["Upgrade OpenFGA to version 1.14.1 or later", "If upgrading is not immediately possible, disable caching for models that use conditions to prevent cache key collisions", "Conduct an audit of all existing models for condition usage and evaluate whether caching can be safely disabled or alternate caching strategies applied"], "summary": {"action": "Patch", "impact": "Unauthorized access via cached policy result"}, "threat_synthesis": {"affected_systems": "The affected product is OpenFGA (the openfga project). Versions prior to 1.14.1 are vulnerable, including all releases from the project's initial release up to 1.14.0. OpenFGA v1.14.1 and later contain the fix and are considered secure.", "description_and_impact": "OpenFGA, an authorization engine, can incorrectly enforce policies when conditions are used in models with caching enabled. The flaw allows a single cache key to be reused for distinct check requests, causing OpenFGA to return an earlier cached result instead of evaluating the new request. This improper policy enforcement can expose a user to a state that the model should not allow, thereby potentially granting unauthorized permissions. The vulnerability is classified as CWE-706 and CWE-863, reflecting a misuse of authorization logic and a failure to check authorization properly.", "risk_and_exploitability": "The CVSS score of 5 indicates medium severity, and the EPSS score is not publicly available. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires that the model has conditions that influence authorization decisions and that the caching feature is enabled. An attacker must submit two check requests that generate an identical cache key but would normally produce different results. While the exact attack vector is not exhaustively detailed, it can be inferred that the attacker only needs the ability to craft requests to a target OpenFGA instance. The moderate CVSS score suggests exploitation is feasible but not trivial, and the lack of a readily available workaround means that only an updated version mitigates the risk. The overall risk is medium, with the potential to allow unintended access when caching is misused."}}}}, "created": "2026-04-22T01:30:05.070279+00:00", "updated": "2026-04-22T06:15:10.414256+00:00", "vendors": ["openfga", "openfga$PRODUCT$openfga"]}