CVE-2026-33729: OpenFGA has an Authorization Bypass through cached keys

March 26, 2026 (updated March 27, 2026)

In OpenFGA, under specific conditions, models using conditions with caching enabled can result in two different check requests producing the same cache key. This can result in OpenFGA reusing an earlier cached result for a different request.

References

github.com/advisories/GHSA-h6c8-cww8-35hf
github.com/openfga/openfga
github.com/openfga/openfga/commit/049b50ccd2cc7e163bd897f3d17a7b859ad146f8
github.com/openfga/openfga/releases/tag/v1.13.1
github.com/openfga/openfga/security/advisories/GHSA-h6c8-cww8-35hf
nvd.nist.gov/vuln/detail/CVE-2026-33729

Code Behaviors & Features

Detect and mitigate CVE-2026-33729 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →