CVE-2026-41131: OpenFGA Auth Bypass Vulnerability

CVE-2026-41131 Overview

CVE-2026-41131 is an Authorization Bypass vulnerability in OpenFGA, an authorization and permission engine built for developers. Prior to version 1.14.1, in specific scenarios, models using conditions with caching enabled can result in two different check requests producing the same cache key. This could result in OpenFGA reusing an earlier cached result for a subsequent request, potentially leading to incorrect authorization decisions.

Critical Impact

This cache key collision vulnerability could allow unauthorized access or deny legitimate access by returning incorrect authorization check results from the cache.

Affected Products

• OpenFGA versions prior to 1.14.1
• OpenFGA deployments with caching enabled
• OpenFGA models using relations that rely on condition evaluation

Discovery Timeline

• 2026-04-22 - CVE-2026-41131 published to NVD
• 2026-04-22 - Last updated in NVD database

Technical Details for CVE-2026-41131

Vulnerability Analysis

This vulnerability falls under CWE-706 (Use of Incorrectly-Resolved Name or Reference), where the cache key generation mechanism fails to properly differentiate between distinct authorization check requests. When OpenFGA processes authorization checks with conditions, it generates cache keys to store and retrieve results for performance optimization. However, a flaw in the key generation logic causes two semantically different check requests to produce identical cache keys under specific circumstances.

The impact of this vulnerability affects the integrity of authorization decisions. When an earlier cached result is incorrectly reused for a different request, users may be granted access they should not have, or legitimate users may be denied access they should receive. This is particularly concerning in fine-grained authorization scenarios where conditions are used to implement context-aware access control.

Root Cause

The root cause lies in the cache key generation algorithm not incorporating all relevant parameters from condition-based authorization checks. When models include relations that depend on condition evaluation, the cache key fails to uniquely identify the specific combination of request parameters, leading to cache collisions between distinct authorization requests.

Attack Vector

The vulnerability requires network access and can be exploited when an attacker can influence the timing and order of authorization check requests. An attacker with low-level privileges could potentially exploit this by crafting specific request sequences that cause favorable authorization results to be cached and then reused for requests that should otherwise be denied.

The attack scenario involves:

1. Submitting an authorization check request that evaluates to "allowed" due to specific conditions
2. The result is cached with an incorrectly generated cache key
3. A subsequent request with different parameters that should evaluate to "denied" produces the same cache key
4. OpenFGA returns the cached "allowed" result instead of performing a fresh evaluation

Detection Methods for CVE-2026-41131

Indicators of Compromise

• Unexpected authorization decisions that grant or deny access inconsistently
• Users reporting intermittent access issues to resources they should or should not access
• Audit logs showing authorization decisions that contradict configured policies
• Cache hit ratios that are unusually high for condition-based authorization checks

Detection Strategies

• Monitor authorization check results for inconsistencies between similar requests with different conditions
• Implement audit logging for all authorization decisions and compare against expected policy outcomes
• Review application logs for patterns where access control decisions appear to flip unexpectedly
• Test authorization behavior with condition-based models under concurrent request scenarios

Monitoring Recommendations

• Enable detailed logging for OpenFGA authorization check requests and responses
• Set up alerts for authorization decision anomalies in security monitoring systems
• Monitor cache statistics to identify unusual patterns in cache key generation
• Implement periodic automated testing of authorization policies with known expected outcomes

How to Mitigate CVE-2026-41131

Immediate Actions Required

• Upgrade OpenFGA to version 1.14.1 or later immediately
• If immediate upgrade is not possible, disable caching for models that use conditions
• Review recent authorization decisions for potential unauthorized access
• Audit access logs to identify any potential exploitation of this vulnerability

Patch Information

OpenFGA version 1.14.1 contains the fix for this cache key collision vulnerability. The patch ensures that cache keys are generated with all relevant request parameters, preventing collisions between distinct authorization check requests. For detailed information, refer to the GitHub Release v1.14.1 and the GitHub Security Advisory GHSA-57j5-qwp2-vqp6.

Workarounds

• Disable caching entirely until the upgrade to 1.14.1 can be completed
• Remove or refactor condition-dependent relations in authorization models as a temporary measure
• Implement application-level authorization verification as a secondary check
• Consider reducing cache TTL to minimize the window for cache collision exploitation

# Configuration example - Disable caching in OpenFGA
# Set the following environment variable or configuration option
OPENFGA_CHECK_QUERY_CACHE_ENABLED=false

# Or in configuration file
# check_query_cache:
#   enabled: false