GHSA-57j5-qwp2-vqp6

Suggest an improvement
Source
https://github.com/advisories/GHSA-57j5-qwp2-vqp6
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-57j5-qwp2-vqp6/GHSA-57j5-qwp2-vqp6.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-57j5-qwp2-vqp6
Aliases
  • CVE-2026-41131
Downstream
Related
Published
2026-04-22T19:43:36Z
Modified
2026-05-06T16:29:14.981781237Z
Severity
  • 5.0 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
Summary
OpenFGA has Improper Policy Enforcement
Details

Description

In OpenFGA, in specific scenarios, models using conditions with caching enabled can result in two different check requests producing the same cache key. This could result in OpenFGA reusing an earlier cached result for a subsequent request.

Am I Affected?

Users are affected if their applications meet the following preconditions:

  • The model has relations which rely on condition evaluation.
  • Caching is enabled.

Fix

Upgrade to OpenFGA v1.14.1.

Acknowledgement

OpenFGA would like to thank @bugbunny-research for the detailed report.

Database specific 
{
    "github_reviewed": true,
    "severity": "MODERATE",
    "nvd_published_at": "2026-04-22T00:16:29Z",
    "cwe_ids": [
        "CWE-706",
        "CWE-863"
    ],
    "github_reviewed_at": "2026-04-22T19:43:36Z"
}
References

Affected packages

Go / github.com/openfga/openfga

Package

Name
github.com/openfga/openfga
View open source insights on deps.dev
Purl
pkg:golang/github.com/openfga/openfga

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.14.1

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-57j5-qwp2-vqp6/GHSA-57j5-qwp2-vqp6.json"