CVE-2026-34972: OpenFGA's BatchCheck within-request deduplication produces incorrect authorization decisions via list-value cache-key collision

April 7, 2026

In OpenFGA, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in improper policy enforcement.

References

github.com/advisories/GHSA-jwvj-g8pc-cx45
github.com/openfga/openfga
github.com/openfga/openfga/security/advisories/GHSA-jwvj-g8pc-cx45
nvd.nist.gov/vuln/detail/CVE-2026-34972

Code Behaviors & Features

Detect and mitigate CVE-2026-34972 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →