CVE-2026-34972

ADVISORY - github

Summary

Description

In OpenFGA, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in improper policy enforcement.

Am I affected?

You are affected if you meet the following preconditions:

You execute BatchCheck operations which rely on context.
Multiple checks are sent within a single BatchCheck operation for the same user/object/relation combination, each containing context.
The contexts between those checks differ in a specific way

Fix

Upgrade to OpenFGA v1.14.0

Acknowledgement

OpenFGA would like to thank @bugbunny-research for the discovery and detailed report.

EPSS Score⁠: 0.00034 (0.100)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-863⁠

Incorrect Authorization

ADVISORY - github

CWE-863⁠

Incorrect Authorization

ADVISORY - redhat

CWE-639⁠

Authorization Bypass Through User-Controlled Key

Impacted images

Advisories

Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.