Cyber Resilience

CVE-2026-33729

Medium

Published: 27 March 2026

Published
27 March 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score v4 5.8 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0024 15.0th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-33729 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Openfga Openfga. Its CVSS base score is 5.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 15.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2026-33729 is a vulnerability in OpenFGA, a high-performance authorization and permission engine inspired by Google Zanzibar. Affecting versions prior to 1.13.1, the issue arises under specific conditions in models using conditions with caching enabled, where two different check requests can generate the same cache key. This leads OpenFGA to reuse an earlier cached result for a different request, potentially causing incorrect authorization decisions. Systems are impacted only if models include relations that rely on condition evaluation and caching is enabled. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWEs 20 (Improper Input Validation), 345 (Insufficient Verification of Data Authenticity), and 1289 (Improper Validation of Specified Type of Input).

Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting requests that trigger cache key collisions, attackers can manipulate authorization checks, leading to high-impact confidentiality, integrity, and availability consequences. For instance, an attacker could cause OpenFGA to return an incorrect permission result from a prior cached response, potentially granting unauthorized access to resources or denying legitimate access.

The OpenFGA security advisory (GHSA-h6c8-cww8-35hf), release notes for v1.13.1, and the patching commit (049b50ccd2cc7e163bd897f3d17a7b859ad146f8) confirm that upgrading to version 1.13.1 resolves the issue by addressing the cache key generation logic. No additional workarounds are specified beyond disabling caching or avoiding condition-based relations in affected models until patching.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. In versions prior to 1.13.1, under specific conditions, models using conditions with caching enabled can result in two different check requests producing the same…

more

cache key. This can result in OpenFGA reusing an earlier cached result for a different request. Users are affected if the model has relations which rely on condition evaluation andncaching is enabled. OpenFGA v1.13.1 contains a patch.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Cache collision enables remote unauthenticated authz bypass on the OpenFGA service (public API), directly supporting exploitation for privilege escalation and initial access via crafted requests to a public-facing application.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-55213Same product: Openfga Openfga
CVE-2026-24851Same product: Openfga Openfga
CVE-2025-25196Same product: Openfga Openfga
CVE-2026-34972Same product: Openfga Openfga
CVE-2024-56323Same product: Openfga Openfga
CVE-2026-2750Shared CWE-20
CVE-2026-43534Shared CWE-345
CVE-2025-27494Shared CWE-20
CVE-2025-59886Shared CWE-20
CVE-2025-30213Shared CWE-20

Affected Assets

openfga
openfga
≤ 1.13.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely patching of the OpenFGA cache key collision flaw as fixed in v1.13.1 to prevent incorrect authorization decisions.

prevent

Enforces secure configuration settings such as disabling caching in OpenFGA models with conditions, serving as an effective workaround until patching.

prevent

Requires validation of authorization check request inputs to mitigate risks from crafted requests causing cache key collisions due to improper input handling.

References