CVE-2026-48096

ADVISORY - github

Summary

Description

In OpenFGA, when iterator caching is enabled, two distinct check requests can produce the same cache key, leading to OpenFGA reusing an earlier cached result for a subsequent request.

Preconditions

This applies if the following preconditions are present:

FGA runs with SharedIteratorCache enabled,
FGA runs with ListObjectsIteratorCache enabled.

Fix

Upgrade to version 1.16.0 or greater.

Acknowledgements

OpenFGA would like to thank @j4xT for the discovery and the detailed report.

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-345⁠

Insufficient Verification of Data Authenticity

CWE-668⁠

Exposure of Resource to Wrong Sphere

ADVISORY - github

CWE-345⁠

Insufficient Verification of Data Authenticity

CWE-668⁠

Exposure of Resource to Wrong Sphere

Impacted images

Advisories

Docker

CREATED

7 days ago

UPDATED

7 days ago

ADVISORY ID

CVE-2026-48096

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

NIST

CREATED

2 days ago

UPDATED

6 hours ago

ADVISORY IDCVE-2026-48096⁠

EXPLOITABILITY SCORE

1.6

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-345⁠CWE-668⁠

CVSS SCORE

5medium

GitHub

CREATED

10 hours ago

UPDATED

10 hours ago

ADVISORY IDGHSA-8396-jffm-qx4w⁠

EXPLOITABILITY SCORE

1.6

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-345⁠CWE-668⁠

CVSS SCORE

5medium