CVE-2026-34972

Medium

Published: 06 April 2026

Published

06 April 2026

Modified

20 April 2026

KEV Added

—

Patch

—

CVSS Score 5.0 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0002 5.1th percentile

Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34972 is a medium-severity Incorrect Authorization (CWE-863) vulnerability in Openfga Helm Charts. Its CVSS base score is 5.0 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Mandates enforcement of approved authorizations for access to resources, directly addressing the improper policy enforcement in OpenFGA BatchCheck calls for duplicate object-relation-user combinations.

SI-2 Flaw Remediation good match

prevent

Requires identification, reporting, and correction of flaws like CVE-2026-34972 through timely patching to version 1.14.0.

AC-25 Reference Monitor good match

prevent

Implements a reference monitor mechanism to enforce access control policies with tamperproof, always-invoked, and verifiable properties, mitigating bugs in authorization engines like OpenFGA.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

The vulnerability is an authorization bypass (improper policy enforcement) allowing a low-privileged network attacker to circumvent intended checks in OpenFGA, directly enabling exploitation for privilege escalation to access unauthorized resources.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. From 1.8.0 to 1.13.1, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in…

improper policy enforcement. This vulnerability is fixed in 1.14.0.

Deeper analysisAI

CVE-2026-34972 is an improper policy enforcement vulnerability (CWE-863) in OpenFGA, a high-performance and flexible authorization and permission engine inspired by Google Zanzibar. It affects versions 1.8.0 through 1.13.1, where BatchCheck calls containing multiple checks for the same object, relation, and user combination can lead to incorrect policy enforcement under specific conditions.

Exploitation requires network access (AV:N), high attack complexity (AC:H), low privileges (PR:L), and no user interaction (UI:N), resulting in low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L) within unchanged scope (S:U), for an overall CVSS v3.1 score of 5.0. A low-privileged attacker could leverage this to bypass intended authorization checks in affected deployments.

The issue is addressed in OpenFGA version 1.14.0. Additional details on the vulnerability, including reproduction steps and mitigation recommendations, are available in the GitHub security advisory at https://github.com/openfga/openfga/security/advisories/GHSA-jwvj-g8pc-cx45.