Sign In

CVE-2026-34972

ADVISORY - github

Summary

Description

In OpenFGA, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in improper policy enforcement.

Am I affected?

You are affected if you meet the following preconditions:

  1. You execute BatchCheck operations which rely on context.
  2. Multiple checks are sent within a single BatchCheck operation for the same user/object/relation combination, each containing context.
  3. The contexts between those checks differ in a specific way

Fix

Upgrade to OpenFGA v1.14.0

Acknowledgement

OpenFGA would like to thank @bugbunny-research for the discovery and detailed report.

EPSS Score: 0.00034 (0.100)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-863

Incorrect Authorization

ADVISORY - github

CWE-863

Incorrect Authorization

ADVISORY - redhat

CWE-639

Authorization Bypass Through User-Controlled Key

Impacted images

Advisories

Docker

CREATED

UPDATED

ADVISORY ID

CVE-2026-34972

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

NIST

CREATED

UPDATED

ADVISORY IDCVE-2026-34972
EXPLOITABILITY SCORE

1.6

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-863

CVSS SCORE

5medium

GitHub

CREATED

UPDATED

ADVISORY IDGHSA-jwvj-g8pc-cx45
EXPLOITABILITY SCORE

1.6

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-863

CVSS SCORE

5medium

Red Hat

CREATED

UPDATED

ADVISORY IDCVE-2026-34972
EXPLOITABILITY SCORE

1.6

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-639

CVSS SCORE

4.2medium

Chainguard

CREATED

UPDATED

ADVISORY ID

CGA-rfvj-mw43-h8w8

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-668m-4jv8-q77w

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-8786-9qqj-wp4h

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-8f64-j27p-r8c5

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-c3rw-pmh3-wx28

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-m4xg-7jmp-54q9

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-mg7j-mpxm-wwr8

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-mhc9-633j-wq4j

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-xhgj-fxvp-2x27

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY