CVE-2026-41131: OpenFGA has Improper Policy Enforcement

April 22, 2026

In OpenFGA, in specific scenarios, models using conditions with caching enabled can result in two different check requests producing the same cache key. This could result in OpenFGA reusing an earlier cached result for a subsequent request.

References

github.com/advisories/GHSA-57j5-qwp2-vqp6
github.com/openfga/openfga/releases/tag/v1.14.1
github.com/openfga/openfga/security/advisories/GHSA-57j5-qwp2-vqp6
nvd.nist.gov/vuln/detail/CVE-2026-41131

Code Behaviors & Features

Detect and mitigate CVE-2026-41131 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →