PT-2026-28515 · Openfga · Openfga

Amemoyoif

Published

2026-03-26

Updated

2026-03-27

CVE-2026-33729

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions OpenFGA versions prior to 1.13.1

Description OpenFGA is a high-performance and flexible authorization/permission engine. Under specific conditions, models using conditions with caching enabled can result in two different check requests producing the same cache key. This can result in OpenFGA reusing an earlier cached result for a different request. Users are affected if the model has relations that depend on condition evaluation and caching is enabled.

Recommendations Upgrade to OpenFGA version 1.13.1.

Exploit

Fix

Insufficient Verification of Data Authenticity

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-345CWE-1289CWE-20

Related Identifiers

CVE-2026-33729

GHSA-H6C8-CWW8-35HF

GO-2026-4857

SUSE-SU-2026:1135-1

Affected Products

Openfga

PT-2026-28515 · Openfga · Openfga

CVE-2026-33729

Weakness Enumeration

Related Identifiers

Affected Products

References · 151