MEDIUM 5.0

CVE-2026-48096 OpenFGA Cache Collision Vulnerability: Impact, Patching & Detection

OpenFGA, an authorization engine used by developers to control permissions, has a caching flaw that could cause it to reuse incorrect permission decisions. When iterator caching is enabled, two different permission requests can accidentally use the same cached result, potentially allowing or denying access incorrectly. The issue affects versions before 1.16.0 and has been patched.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.0 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-345, CWE-668
Affected products
2 configuration(s)
Published / Modified
2026-06-10 / 2026-06-17

NVD description (verbatim)

OpenFGA is an authorization/permission engine built for developers. Prior to version 1.16.0, when iterator caching is enabled, two distinct check requests can produce the same cache key, leading to OpenFGA reusing an earlier cached result for a subsequent request. This issue has been patched in version 1.16.0.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-48096 is a cache collision vulnerability in OpenFGA's iterator caching mechanism. Under specific conditions, two distinct authorization check requests generate identical cache keys, causing OpenFGA to return a previously cached result instead of evaluating the new request independently. This violates the principle that each authorization decision should be context-specific. The vulnerability is rooted in insufficient cache key uniqueness (CWE-345: Insufficient Verification of Data Authenticity, CWE-668: Operation on a Resource After Expiration or Release). Exploitation requires an authenticated user with sufficient privileges to trigger multiple check requests that collide in the cache.

Business impact

This vulnerability could lead to authorization bypass or incorrect permission enforcement in applications relying on OpenFGA. A legitimate user denied access to a resource could potentially gain access if their request collides with a previously cached approval from another user. Conversely, an authorized user might be incorrectly denied if a cached denial is reused. In production environments managing critical access controls, this could expose sensitive data, enable unauthorized actions, or disrupt legitimate workflows. The CVSS score of 5.0 reflects the need for authentication and harder exploitation path, but the integrity and confidentiality impact remains material.

Affected systems

OpenFGA versions prior to 1.16.0 are vulnerable. This includes the openfga/openfga package and openfga/helm_charts deployments. Any deployment with iterator caching explicitly enabled is at risk. Organizations using OpenFGA for access control in Kubernetes environments (via Helm charts) or as a direct service should prioritize validation.

Exploitability

Exploitation requires an authenticated user with login privileges and the ability to craft specific authorization check requests that collide in the cache. The attack is not trivial—an attacker must understand the caching implementation and timing to reliably trigger collisions. The CVSS vector (AC:H, PR:L) indicates high attack complexity and low privilege requirements, meaning the barrier to exploitation is moderate but not trivial. No public exploit code or active in-the-wild exploitation has been documented.

Remediation

Upgrade OpenFGA to version 1.16.0 or later immediately. Verify the upgrade through your package manager (Go packages, Helm repositories) and validate the patch in your deployment logs. As an interim measure, disabling iterator caching (if operationally feasible) will eliminate the vulnerability, though this may impact performance. Verify configuration settings post-upgrade to ensure caching is correctly re-enabled if required.

Patch guidance

Update openfga/openfga to version 1.16.0 or later. For Helm-based deployments, update openfga/helm_charts to a version that references the patched OpenFGA binary (verify the Helm chart's appVersion field points to 1.16.0+). Test the patch in a staging environment first to confirm compatibility with your authorization policies and to measure any performance impact. Review your deployment's cache configuration after patching to ensure it aligns with your security and performance requirements.

Detection guidance

Monitor OpenFGA logs for unexpected authorization decisions, particularly patterns where the same check request returns different results on subsequent calls. Audit access control decisions around sensitive resources to identify discrepancies. Review cache hit rates and timing anomalies. If you have APM or authorization event logging in place, look for sequences where a denial is followed by an approval for the same user-resource pair within a short time window. Check your OpenFGA version via the /health or version endpoint to confirm whether you are running a vulnerable build.

Why prioritize this

Although this vulnerability carries a CVSS score of 5.0 (medium) and is not yet in the CISA KEV catalog, it directly affects access control logic—a critical security function. Any flaw in authorization systems, even with moderate exploitability, warrants urgent attention because it undermines the foundation of least-privilege security models. Organizations should treat this as a high-priority patch in their roadmap, especially if OpenFGA controls access to sensitive data or critical systems.

Risk score, explained

The CVSS 3.1 score of 5.0 reflects a Medium severity rating. The score accounts for network accessibility (AV:N), high attack complexity requiring cache collision timing (AC:H), requirement for authenticated access (PR:L), and confidentiality, integrity, and availability impacts (C:L, I:L, A:L) limited to the user's own authorization context. The moderate score does not diminish the importance of patching; it reflects that exploitation is difficult to pull off reliably, but not impossible for a skilled attacker with system knowledge.

Frequently asked questions

Does this vulnerability allow an attacker to escalate privileges without authentication?

No. CVE-2026-48096 requires an authenticated user (PR:L). An attacker cannot exploit this remotely without valid credentials. However, an authenticated user can potentially manipulate cached results to gain unintended access or cause a denial of service for legitimate requests.

If we disable iterator caching, are we fully protected?

Yes, disabling iterator caching eliminates the cache collision mechanism entirely. However, this may reduce OpenFGA performance, particularly in high-throughput environments. Disabling caching should be a temporary interim measure while you prepare and validate the upgrade to version 1.16.0.

How do we verify that our OpenFGA deployment is patched?

Check your running OpenFGA instance version via the health or version endpoint. Confirm the version number is 1.16.0 or later. For Helm deployments, verify the appVersion in the deployed Helm release matches or exceeds 1.16.0. Review your pod or container image tag to ensure it points to a patched build.

Could this vulnerability affect OpenFGA deployments with caching disabled by default?

No. The vulnerability only manifests when iterator caching is explicitly enabled in configuration. If your deployment runs with default settings and caching is disabled, you are not vulnerable. However, verify your actual configuration to be certain; do not assume defaults.

This analysis is based on publicly available vulnerability data current as of the publication date. Organizations should verify all patch version numbers, affected product configurations, and compatibility requirements against official vendor advisories and release notes. CVSS scores are provided by the National Vulnerability Database (NVD) and represent the view of the scoring vector at the time of publication. The presence or absence of a vulnerability in the CISA Known Exploited Vulnerabilities (KEV) catalog does not guarantee exploitation will or will not occur; it indicates current public knowledge. Always test patches in a non-production environment before deployment, and consult your security team and OpenFGA documentation for environment-specific guidance. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).