Sign In

CVE-2026-48096

ADVISORY - github

Summary

Description

In OpenFGA, when iterator caching is enabled, two distinct check requests can produce the same cache key, leading to OpenFGA reusing an earlier cached result for a subsequent request.

Preconditions

This applies if the following preconditions are present:

  • FGA runs with SharedIteratorCache enabled,
  • FGA runs with ListObjectsIteratorCache enabled.

Fix

Upgrade to version 1.16.0 or greater.

Acknowledgements

OpenFGA would like to thank @j4xT for the discovery and the detailed report.

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-345

Insufficient Verification of Data Authenticity

CWE-668

Exposure of Resource to Wrong Sphere

ADVISORY - github

CWE-345

Insufficient Verification of Data Authenticity

CWE-668

Exposure of Resource to Wrong Sphere

Impacted images

Advisories
Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in