CVE-2026-41131

ADVISORY - github

Summary

Description

In OpenFGA, in specific scenarios, models using conditions with caching enabled can result in two different check requests producing the same cache key. This could result in OpenFGA reusing an earlier cached result for a subsequent request.

Am I Affected?

Users are affected if their applications meet the following preconditions:

The model has relations which rely on condition evaluation.
Caching is enabled.

Fix

Upgrade to OpenFGA v1.14.1.

Acknowledgement

OpenFGA would like to thank @bugbunny-research for the detailed report.

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-706⁠

Use of Incorrectly-Resolved Name or Reference

CWE-863⁠

Incorrect Authorization

ADVISORY - github

CWE-706⁠

Use of Incorrectly-Resolved Name or Reference

CWE-863⁠

Incorrect Authorization

Impacted images

Advisories

Docker

CREATED

2 days ago

UPDATED

2 days ago

ADVISORY ID

CVE-2026-41131

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

NIST

CREATED

1 day ago

UPDATED

4 hours ago

ADVISORY IDCVE-2026-41131⁠

EXPLOITABILITY SCORE

1.6

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-706⁠CWE-863⁠

CVSS SCORE

5medium

GitHub

CREATED

6 hours ago

UPDATED

6 hours ago

ADVISORY IDGHSA-57j5-qwp2-vqp6⁠

EXPLOITABILITY SCORE

1.6

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-706⁠CWE-863⁠

CVSS SCORE

5medium