Medium severity5.0NVD Advisory· Published Apr 6, 2026· Updated Apr 20, 2026

CVE-2026-34972

Description

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. From 1.8.0 to 1.13.1, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in improper policy enforcement. This vulnerability is fixed in 1.14.0.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/openfga/openfgaGo	>= 1.8.0, < 1.14.0	1.14.0

Affected products

Openfga/Helm Charts
cpe:2.3:a:openfga:helm_charts:*:*:*:*:*:openfga:*:*
Range: >=0.2.16,<0.2.62
Openfga/Openfga
cpe:2.3:a:openfga:openfga:*:*:*:*:*:*:*:*
Range: >=1.8.0,<1.14.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-jwvj-g8pc-cx45ghsaADVISORY
github.com/openfga/openfga/security/advisories/GHSA-jwvj-g8pc-cx45nvdVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2026-34972ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.325
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000