CVE-2026-41131 MEDIUM

CVE-2026-41131: OpenFGA has Improper Policy Enforcement

Vendor Openfga

Product openfga

Weakness CWE-863 · Incorrect authorization

Published April 21, 2026

Last update April 22, 2026

View on NVD All CVEs

CVSS base score

5.0/10

Attack vector Network

Attack complexity High

Privileges required Low

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

OpenFGA is an authorization/permission engine built for developers. Prior to version 1.14.1, in specific scenarios, models using conditions with caching enabled can result in two different check requests producing the same cache key. This could result in OpenFGA reusing an earlier cached result for a subsequent request. The preconditions for vulnerability are the model having relations which rely on condition evaluation and the user having caching enabled. OpenFGA v1.14.1 contains a fix.

Key dates

02Disclosure timeline

April 21, 2026 CVE published

April 22, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-41131

Related vulnerabilities

04Related CVE

CVE-2025-46834 Alchemy's Modular Account can use executeUserOp to bypass allowlist prevalidation hook CVE-2024-13258 Drupal REST & JSON API Authentication - Moderately critical - Access bypass - SA-CONTRIB-2024-022 CVE-2026-25767 LavinMQ has incomplete shovel configuration validation CVE-2026-28759 Insufficient authorization in shared channel membership sync allows remote cluster to remove users from arbitrary channels CVE-2021-24279 Redirection for Contact Form 7 < 2.3.4 - Authenticated Arbitrary Plugin Installation