CVE Catalog

CVE-2026-48096

MediumCVSS 5.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.01%

3th percentile — higher than 3% of all known CVEs

Summary

OpenFGA, an authorization engine, prior to version 1.16.0, had an issue with iterator caching where two distinct check requests could produce the same cache key. This led to the reuse of an earlier cached result for a subsequent request.

Risk Assessment

Organizations may be exposed to unauthorized access as results from earlier requests could be improperly used in new contexts.

Recommendation

It is recommended to upgrade OpenFGA to version 1.16.0 or later to mitigate this vulnerability.

Original NVD description (English source)

OpenFGA is an authorization/permission engine built for developers. Prior to version 1.16.0, when iterator caching is enabled, two distinct check requests can produce the same cache key, leading to OpenFGA reusing an earlier cached result for a subsequent request. This issue has been patched in version 1.16.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS