Platform
go
Component
openfga/openfga
Fixed in
1.13.2
CVE-2026-33729 describes a cache poisoning vulnerability affecting OpenFGA versions prior to 1.13.1. This flaw allows attackers to potentially manipulate authorization decisions by causing different requests to share the same cache key when conditions and caching are enabled. The vulnerability impacts users relying on condition evaluation within their OpenFGA models. A patch is available in version 1.13.1.
The core of this vulnerability lies in how OpenFGA handles cached authorization checks when conditions are involved. Specifically, under certain model configurations utilizing conditions and caching, the system may generate identical cache keys for distinct authorization requests. This means a previous, potentially incorrect, cached result could be served for a subsequent request, effectively bypassing intended access controls. An attacker could craft malicious requests designed to trigger this cache key collision, leading to unauthorized access to resources or functionality. The blast radius is limited to systems using OpenFGA for authorization and relying on condition-based access control with caching enabled.
CVE-2026-33729 was publicly disclosed on 2026-03-27. There is no indication of active exploitation or inclusion in the CISA KEV catalog at this time. No public proof-of-concept (PoC) code has been released. The vulnerability's complexity suggests a moderate barrier to exploitation, requiring a deep understanding of OpenFGA's model structure and caching mechanisms.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
The primary mitigation is to upgrade to OpenFGA version 1.13.1 or later, which includes a patch addressing the cache key generation logic. If immediate upgrading is not feasible, consider disabling caching for models utilizing conditions. This will eliminate the possibility of cache poisoning but may impact performance. Review your OpenFGA models to identify those relying on conditions and assess the risk. Monitor OpenFGA logs for unusual authorization patterns or errors related to cache key generation. There are no specific WAF rules or configuration workarounds available beyond disabling caching or upgrading.
Update OpenFGA to version 1.13.1 or higher. This version contains a fix for the authorization bypass issue due to incorrect key caching.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33729 is a vulnerability in OpenFGA versions ≤ 1.13.1 where specific conditions can lead to different authorization requests sharing the same cache key, potentially causing incorrect access decisions.
You are affected if you are using OpenFGA version 1.13.1 or earlier and your models utilize conditions with caching enabled. Assess your model configurations to determine your level of risk.
Upgrade to OpenFGA version 1.13.1 or later. Alternatively, disable caching for models using conditions as a temporary workaround.
There is currently no evidence of active exploitation of CVE-2026-33729, and no public proof-of-concept code is available.
Refer to the official OpenFGA security advisory for detailed information and updates: [https://www.openfga.io/security/advisories](https://www.openfga.io/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.