{"id":"CVE-2026-41131","summary":"OpenFGA has Improper Policy Enforcement","details":"OpenFGA is an authorization/permission engine built for developers. Prior to version 1.14.1, in specific scenarios, models using conditions with caching enabled can result in two different check requests producing the same cache key. This could result in OpenFGA reusing an earlier cached result for a subsequent request. The preconditions for vulnerability are the model having relations which rely on condition evaluation and the user having caching enabled. OpenFGA v1.14.1 contains a fix.","aliases":["GHSA-57j5-qwp2-vqp6"],"modified":"2026-05-28T04:11:54.263140493Z","published":"2026-04-21T23:38:29.955Z","related":["CGA-qq6h-jrmc-rhqj"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41131.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-706","CWE-863"]},"references":[{"type":"WEB","url":"https://github.com/openfga/openfga/releases/tag/v1.14.1"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41131.json"},{"type":"ADVISORY","url":"https://github.com/openfga/openfga/security/advisories/GHSA-57j5-qwp2-vqp6"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41131"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openfga/helm-charts","events":[{"introduced":"0"},{"fixed":"da697876bc5aa194a4c95c9f5af32d57c33a6cfc"}],"database_specific":{"cpe":"cpe:2.3:a:openfga:helm_charts:*:*:*:*:*:openfga:*:*","extracted_events":[{"introduced":"0"},{"fixed":"0.3.1"}],"source":"CPE_RANGE"}}],"versions":["openfga-0.3.0","openfga-0.2.62","openfga-0.2.61","openfga-0.2.60","openfga-0.2.59","openfga-0.2.58","openfga-0.2.57","openfga-0.2.56","openfga-0.2.55","openfga-0.2.54","openfga-0.2.53","openfga-0.2.52","openfga-0.2.51","openfga-0.2.50","openfga-0.2.49","openfga-0.2.48","openfga-0.2.47","openfga-0.2.46","openfga-0.2.45","openfga-0.2.44","openfga-0.2.43","openfga-0.2.42","openfga-0.2.41","openfga-0.2.40","openfga-0.2.39","openfga-0.2.38","openfga-0.2.37","openfga-0.2.36","openfga-0.2.35","openfga-0.2.34","openfga-0.2.33","openfga-0.2.32","openfga-0.2.31","openfga-0.2.30","openfga-0.2.29","openfga-0.2.28","openfga-0.2.27","openfga-0.2.26","openfga-0.2.25","openfga-0.2.24","openfga-0.2.23","openfga-0.2.22","openfga-0.2.21","openfga-0.2.20","openfga-0.2.19","openfga-0.2.18","openfga-0.2.17","openfga-0.2.16","openfga-0.2.15","openfga-0.2.14","openfga-0.2.13","openfga-0.2.12","openfga-0.2.11","openfga-0.2.10","openfga-0.2.9","openfga-0.2.8","openfga-0.2.7","openfga-0.2.6","openfga-0.2.5","openfga-0.2.4","openfga-0.2.3","openfga-0.2.2","openfga-0.2.1","openfga-0.2.0","openfga-0.1.41","openfga-0.1.40","openfga-0.1.39","openfga-0.1.38","openfga-0.1.37","openfga-0.1.36","openfga-0.1.35","openfga-0.1.34","openfga-0.1.33","openfga-0.1.32","openfga-0.1.31","openfga-0.1.30","openfga-0.1.29","openfga-0.1.28","openfga-0.1.27","openfga-0.1.26","openfga-0.1.25","openfga-0.1.24","openfga-0.1.23","openfga-0.1.22","openfga-0.1.21","openfga-0.1.20","openfga-0.1.19","openfga-0.1.18","openfga-0.1.17","openfga-0.1.16","benchmark-0.0.12","benchmark-0.0.11","openfga-0.1.15","openfga-0.1.14","openfga-0.1.13","benchmark-0.0.10","benchmark-0.0.9","openfga-0.1.12","benchmark-0.0.8","openfga-0.1.11","benchmark-0.0.7","benchmark-0.0.6","openfga-0.1.10","benchmark-0.0.5","benchmark-0.0.4","benchmark-0.0.3","benchmark-0.0.2","benchmark-0.0.1","openfga-0.1.9","openfga-0.1.8","openfga-0.1.7","openfga-0.1.6","openfga-0.1.5","openfga-0.1.4","openfga-0.1.1","openfga-0.1.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-41131.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/openfga/openfga","events":[{"introduced":"0"},{"fixed":"fa5702405fdda60f2df05f3f1e5cffd40ade127a"}],"database_specific":{"cpe":"cpe:2.3:a:openfga:openfga:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"1.14.1"}],"source":["CPE_RANGE","REFERENCES"]}}],"versions":["v1.14.0","v1.13.1","v1.11.5","v1.13.0","v1.12.1","v1.12.0","v1.11.6","v1.11.4","v1.11.3","v1.11.2","v1.11.1","v1.11.0","v1.10.5","v1.10.4","v1.10.3","v1.10.2","v1.10.1","v1.10.0","v1.9.5","v1.9.4","v1.9.3","v1.9.2","v1.9.0","v1.8.15","v1.8.14","v1.8.13","v1.8.12","v1.8.11","v1.8.10","v1.8.9","v1.8.8","v1.8.7","v1.8.6","v1.8.5","v1.8.4","v1.8.3","v1.8.2","v1.8.1","v1.8.0","v1.7.0","v1.6.2","v1.6.1","v1.6.0","v1.5.9","v1.5.8","v1.5.7","v1.5.6","v1.5.5","v1.5.4","v1.5.3","v1.5.2","v1.5.1","v1.5.0","v1.4.3","v1.4.1","v1.4.0","v1.3.10","v1.3.9","v1.3.8","v1.3.7","v1.3.6","v1.3.5","v1.3.4","v1.3.3","v1.3.2","v1.3.1","v1.3.0","v1.2.0","v1.1.1","v1.1.0","v1.0.1","v1.0.0","v0.4.3","v0.4.2","v0.4.1","v0.4.0","v0.3.7","v0.3.6","v0.3.5","v0.3.4","v0.3.3","v0.3.2","v0.3.1","v0.3.0","v0.2.5","v0.2.4","v0.2.3","v0.2.2","v0.2.1","v0.2.0","v0.1.7","v0.1.6","v0.1.5","v0.1.4","v0.1.3","v0.1.2","v0.1.1","v0.1.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-41131.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"}]}