CVE-2026-33729
Published: 27 March 2026
Summary
CVE-2026-33729 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Openfga Openfga. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely patching of the OpenFGA cache key collision flaw as fixed in v1.13.1 to prevent incorrect authorization decisions.
Enforces secure configuration settings such as disabling caching in OpenFGA models with conditions, serving as an effective workaround until patching.
Requires validation of authorization check request inputs to mitigate risks from crafted requests causing cache key collisions due to improper input handling.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Cache collision enables remote unauthenticated authz bypass on the OpenFGA service (public API), directly supporting exploitation for privilege escalation and initial access via crafted requests to a public-facing application.
NVD Description
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. In versions prior to 1.13.1, under specific conditions, models using conditions with caching enabled can result in two different check requests producing the same…
more
cache key. This can result in OpenFGA reusing an earlier cached result for a different request. Users are affected if the model has relations which rely on condition evaluation andncaching is enabled. OpenFGA v1.13.1 contains a patch.
Deeper analysisAI
CVE-2026-33729 is a vulnerability in OpenFGA, a high-performance authorization and permission engine inspired by Google Zanzibar. Affecting versions prior to 1.13.1, the issue arises under specific conditions in models using conditions with caching enabled, where two different check requests can generate the same cache key. This leads OpenFGA to reuse an earlier cached result for a different request, potentially causing incorrect authorization decisions. Systems are impacted only if models include relations that rely on condition evaluation and caching is enabled. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWEs 20 (Improper Input Validation), 345 (Insufficient Verification of Data Authenticity), and 1289 (Improper Validation of Specified Type of Input).
Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting requests that trigger cache key collisions, attackers can manipulate authorization checks, leading to high-impact confidentiality, integrity, and availability consequences. For instance, an attacker could cause OpenFGA to return an incorrect permission result from a prior cached response, potentially granting unauthorized access to resources or denying legitimate access.
The OpenFGA security advisory (GHSA-h6c8-cww8-35hf), release notes for v1.13.1, and the patching commit (049b50ccd2cc7e163bd897f3d17a7b859ad146f8) confirm that upgrading to version 1.13.1 resolves the issue by addressing the cache key generation logic. No additional workarounds are specified beyond disabling caching or avoiding condition-based relations in affected models until patching.
Details
- CWE(s)