OpenFGA has cache-key delimiter injection in shared-iterator and v2 iterator that caches enables intra-store authorization-decision poisoning

GHSA-8396-jffm-qx4w · CVE-2026-48096

Published Jun 11, 2026 · Modified Jun 12, 2026

Description

In OpenFGA, when iterator caching is enabled, two distinct check requests can produce the same cache key, leading to OpenFGA reusing an earlier cached result for a subsequent request.

Preconditions

This applies if the following preconditions are present:

FGA runs with SharedIteratorCache enabled,
FGA runs with ListObjectsIteratorCache enabled.

Fix

Upgrade to version 1.16.0 or greater.

Acknowledgements

OpenFGA would like to thank @j4xT for the discovery and the detailed report.

References

WEB https://github.com/openfga/openfga/security/advisories/GHSA-8396-jffm-qx4w
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-48096
PACKAGE https://github.com/openfga/openfga
WEB https://github.com/openfga/openfga/releases/tag/v1.16.0

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes