Platform
go
Component
github.com/openfga/openfga
Fixed in
1.8.1
1.14.0
CVE-2026-34972 describes a policy enforcement bypass vulnerability in OpenFGA. This flaw allows attackers to circumvent intended access controls under specific conditions, potentially leading to unauthorized data access or actions. The vulnerability affects versions prior to 1.14.0 and is resolved with an upgrade to that version.
The core of this vulnerability lies in how OpenFGA handles BatchCheck operations. When multiple checks are submitted within a single BatchCheck call for the same user, object, and relation, but with differing contexts, the policy enforcement logic can be improperly applied. This means an attacker could craft a BatchCheck request that, due to the context variations, results in a user being granted access they shouldn't have. The impact is a potential bypass of access control policies, allowing unauthorized actions or data retrieval. The blast radius depends on the sensitivity of the data and functionality controlled by OpenFGA’s policies. A successful exploit could lead to data breaches, privilege escalation, or other security compromises.
This vulnerability was publicly disclosed on 2026-04-07. There is no indication of active exploitation or a KEV listing at the time of writing. Public proof-of-concept code is not currently available, but the detailed description suggests the vulnerability is potentially exploitable by skilled attackers familiar with OpenFGA’s BatchCheck mechanism. The CVSS score of 5 (Medium) indicates a moderate risk level.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34972 is to upgrade to OpenFGA version 1.14.0 or later. This version contains the necessary fixes to ensure proper policy enforcement in BatchCheck operations. If an immediate upgrade is not feasible, consider reviewing and restricting the use of BatchCheck operations with varying contexts. While a direct workaround is difficult, carefully auditing and limiting the scope of BatchCheck requests can reduce the attack surface. After upgrading, confirm the fix by performing thorough testing of your OpenFGA policies and BatchCheck operations, ensuring that access controls are functioning as expected.
Upgrade to version 1.14.0 or higher to mitigate the vulnerability. This update fixes a deduplication issue in BatchCheck that could result in incorrect authorization decisions due to cache-key collisions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34972 is a medium severity vulnerability in OpenFGA where BatchCheck operations with differing contexts for the same user/object/relation can bypass policy enforcement, potentially granting unauthorized access.
You are affected if you use OpenFGA versions prior to 1.14.0 and utilize BatchCheck operations that rely on context with multiple checks for the same user/object/relation combination.
Upgrade to OpenFGA version 1.14.0 or later to resolve this vulnerability. Review and restrict BatchCheck operations with varying contexts as a temporary mitigation.
There is currently no evidence of active exploitation, but the vulnerability is potentially exploitable by skilled attackers.
Refer to the OpenFGA security advisory for detailed information and updates: [https://github.com/openfga/openfga/security/advisories/GHSA-xxxx-xxxx-xxxx](replace with actual advisory link)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.