Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-48096

CVE-2026-48096: OpenFGA Auth Bypass Vulnerability

CVE-2026-48096 is an authentication bypass flaw in OpenFGA that causes incorrect cache key generation, allowing unauthorized access through cached results. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-48096 Overview

CVE-2026-48096 is an authorization decision integrity issue in OpenFGA, an open-source authorization and permission engine. When iterator caching is enabled, two distinct check requests can generate identical cache keys. OpenFGA then reuses an earlier cached authorization result for a subsequent, unrelated request. This breaks the integrity of authorization decisions returned to clients.

The flaw is tracked under CWE-345: Insufficient Verification of Data Authenticity. The OpenFGA maintainers patched the issue in version 1.16.0.

Critical Impact

An attacker with low privileges on a network-accessible OpenFGA instance can receive authorization decisions belonging to a different check request, potentially gaining access to resources they should not be permitted to view or modify.

Affected Products

  • OpenFGA versions prior to 1.16.0 with iterator caching enabled
  • Applications and microservices that delegate authorization decisions to a vulnerable OpenFGA instance
  • Self-hosted OpenFGA deployments configured with cache options that activate the iterator cache path

Discovery Timeline

  • 2026-06-10 - CVE-2026-48096 published to NVD
  • 2026-06-10 - Last updated in NVD database

Technical Details for CVE-2026-48096

Vulnerability Analysis

OpenFGA evaluates authorization queries by traversing relationship tuples stored in its data layer. To accelerate repeated lookups, the engine caches iterator results keyed on the inputs that define a check operation. The vulnerable cache key derivation does not uniquely represent every input dimension that influences the authorization outcome.

As a result, two semantically different check requests can hash to the same cache slot. The second request reads the cached entry written by the first and returns its result without re-evaluating the relationship graph. The caller receives an authorization decision that was computed for a different subject, object, or relation.

The attack complexity is high because exploitation requires the attacker to craft inputs that collide with a cached entry produced by another tenant or principal. The impact spans confidentiality, integrity, and availability of authorization decisions, since an incorrect allow or deny can both expose data and disrupt legitimate access.

Root Cause

The root cause is an incomplete cache key in the iterator caching layer introduced as a performance optimization. The key omits or insufficiently encodes fields that distinguish independent check requests. The fix in version 1.16.0 adjusts cache key construction so that distinct requests no longer share a key.

Attack Vector

The vulnerability is reachable over the network through the standard OpenFGA Check API. An authenticated low-privilege client issues check requests whose parameters collide with another request currently held in the iterator cache. Exploitation requires iterator caching to be enabled on the target deployment, which is a non-default but common production configuration for latency-sensitive workloads.

No verified exploit code or public proof-of-concept is available for CVE-2026-48096. Refer to the OpenFGA Security Advisory GHSA-8396-jffm-qx4w for technical details on the affected code paths.

Detection Methods for CVE-2026-48096

Indicators of Compromise

  • Authorization audit logs showing allow decisions for principals that lack the corresponding relationship tuples
  • Application-side access denials that intermittently flip to allow without any tuple write event in between
  • OpenFGA instances running a version earlier than 1.16.0 with cache iterator options enabled in configuration

Detection Strategies

  • Inventory all OpenFGA deployments and extract the running version from /healthz or container image metadata to flag any release below 1.16.0
  • Review OpenFGA configuration for cache-related flags such as OPENFGA_CHECK_ITERATOR_CACHE_ENABLED and identify environments where the iterator cache path is active
  • Correlate Check API request and response logs to find cases where identical responses are returned for requests with differing user, relation, or object fields

Monitoring Recommendations

  • Stream OpenFGA access and decision logs into a centralized analytics platform and alert on authorization decisions that contradict the underlying tuple store
  • Add synthetic check probes that issue known-distinct requests in rapid succession and assert that responses match expected ground truth
  • Track the rate of allowed=true responses per tenant and alert on statistical anomalies that may indicate cache collision exploitation

How to Mitigate CVE-2026-48096

Immediate Actions Required

  • Upgrade all OpenFGA servers to version 1.16.0 or later, which contains the corrected cache key construction
  • Until patching is complete, disable iterator caching on production OpenFGA instances to remove the vulnerable code path
  • Audit recent authorization decisions for high-value resources and revalidate them against the canonical tuple store

Patch Information

The issue is fixed in OpenFGA 1.16.0. Release notes and binaries are available at the OpenFGA v1.16.0 release page. The corresponding advisory is published as GHSA-8396-jffm-qx4w.

Workarounds

  • Set the iterator cache configuration option to disabled and restart the OpenFGA process to clear in-memory cache state
  • Reduce cache TTL to a minimal value if disabling the cache outright is not operationally feasible, narrowing the window in which a collision can be observed
  • Route authorization checks for sensitive resources through a dedicated OpenFGA instance running 1.16.0 while other workloads are migrated
bash
# Configuration example: disable iterator cache via environment variable
export OPENFGA_CHECK_ITERATOR_CACHE_ENABLED=false
export OPENFGA_LIST_OBJECTS_ITERATOR_CACHE_ENABLED=false

# Verify the running OpenFGA version is 1.16.0 or later
curl -s http://openfga.internal:8080/healthz
docker inspect openfga | grep -i version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne