CVE-2026-33729 Overview
CVE-2026-33729 is an Improper Input Validation vulnerability affecting OpenFGA, a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. In versions prior to 1.13.1, under specific conditions, models using conditions with caching enabled can result in two different check requests producing the same cache key. This can result in OpenFGA reusing an earlier cached result for a different request, potentially leading to incorrect authorization decisions.
Critical Impact
Authorization bypass through cache key collision allows attackers to potentially gain unauthorized access by exploiting cached authorization results from different requests, compromising the integrity of permission checks in downstream systems.
Affected Products
- OpenFGA versions prior to 1.13.1
- OpenFGA deployments with caching enabled
- OpenFGA models using relations that rely on condition evaluation
Discovery Timeline
- 2026-03-27 - CVE CVE-2026-33729 published to NVD
- 2026-03-30 - Last updated in NVD database
Technical Details for CVE-2026-33729
Vulnerability Analysis
This vulnerability is classified under CWE-20 (Improper Input Validation) and stems from a flaw in how OpenFGA generates cache keys for authorization check requests. When models use relations that rely on condition evaluation and caching is enabled, the cache key generation algorithm fails to properly account for all relevant request parameters. This results in cache key collisions where distinct authorization requests can produce identical cache keys.
The consequence is that OpenFGA may return a cached authorization result from a previous, unrelated request. In an authorization engine context, this means a user could potentially receive an "allow" response based on another user's cached authorization check, or vice versa. This undermines the fundamental integrity of the permission system.
Root Cause
The root cause lies in insufficient input differentiation during cache key computation. When generating cache keys for requests involving conditional relations, the algorithm does not incorporate all distinguishing factors of the request context. This creates a collision scenario where semantically different authorization checks hash to the same cache key, causing the caching layer to return stale or incorrect results.
Attack Vector
The attack requires network access and authenticated interaction with the OpenFGA service. An attacker with low-level privileges can exploit this vulnerability by crafting authorization check requests that intentionally collide with cached entries from other users or contexts. The attack complexity is moderate as it requires specific conditions to be met: the target model must use relations with conditions, and caching must be enabled.
The attack mechanism involves timing requests to coincide with or follow legitimate cached authorization checks, then submitting crafted requests designed to produce matching cache keys. If successful, the attacker receives the cached authorization result from a different request context, potentially bypassing intended access controls.
Detection Methods for CVE-2026-33729
Indicators of Compromise
- Anomalous authorization decisions where users gain access to resources they shouldn't have
- Inconsistent permission check results for the same user/resource pair across short time windows
- Cache hit rates for authorization checks that deviate significantly from expected patterns
- Audit log entries showing successful resource access without corresponding valid permission grants
Detection Strategies
- Monitor authorization audit logs for permission grants that don't match configured policies
- Implement secondary validation for sensitive operations to detect discrepancies with primary authorization checks
- Deploy anomaly detection on cache hit/miss patterns in the OpenFGA service
- Cross-reference access logs with permission models to identify unauthorized access patterns
Monitoring Recommendations
- Enable detailed logging for all authorization check requests including cache hit/miss status
- Set up alerting for authorization decisions that conflict with explicit deny rules
- Monitor for patterns of repeated similar requests from different user contexts that could indicate exploitation attempts
- Review cache metrics for unexpected collision rates or cache hit patterns
How to Mitigate CVE-2026-33729
Immediate Actions Required
- Upgrade OpenFGA to version 1.13.1 or later immediately
- Temporarily disable caching in OpenFGA if immediate upgrade is not possible
- Review recent authorization decisions for potential unauthorized access
- Audit access logs for any suspicious authorization patterns during the exposure window
Patch Information
OpenFGA version 1.13.1 contains the fix for this vulnerability. The patch addresses the cache key generation algorithm to properly incorporate all relevant request parameters when computing cache keys for conditional relations. Users should update to this version or later to remediate the vulnerability.
For detailed patch information, see the GitHub Commit Update and the GitHub Release v1.13.1. Additional technical details are available in the GitHub Security Advisory GHSA-h6c8-cww8-35hf.
Workarounds
- Disable caching in OpenFGA until the patch can be applied by setting appropriate configuration flags
- Remove or refactor conditional relations from authorization models if they are not strictly necessary
- Implement additional authorization validation at the application layer as a defense-in-depth measure
- Consider implementing request-level cache invalidation for sensitive operations
# Disable OpenFGA caching as a temporary workaround
# Set in your OpenFGA configuration file or environment variables
OPENFGA_CHECK_QUERY_CACHE_ENABLED=false
# Alternatively, reduce cache TTL to minimize exposure window
OPENFGA_CHECK_QUERY_CACHE_TTL=0s
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
