CVE-2026-48096 MEDIUM

CVE-2026-48096: OpenFGA: Cache-key delimiter injection in openfga/openfga shared-iterator and v2 iterator caches enables intra-store authorization-decision poisoning

Vendor Openfga
Product openfga
Weakness CWE-345
Published June 10, 2026
Last update June 10, 2026

CVSS base score

5.0/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

OpenFGA is an authorization/permission engine built for developers. Prior to version 1.16.0, when iterator caching is enabled, two distinct check requests can produce the same cache key, leading to OpenFGA reusing an earlier cached result for a subsequent request. This issue has been patched in version 1.16.0.

Key dates

02Disclosure timeline

June 10, 2026 CVE published
June 10, 2026 Record updated