CVE-2026-34972
OpenFGA's BatchCheck within-request deduplication produces incorrect authorization decisions via list-value cache-key collision
Description
### Description In OpenFGA, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in improper policy enforcement. ### Am I affected? You are affected if you meet the following preconditions: 1. You execute **BatchCheck** operations which rely on context. 2. Multiple checks are sent within a single BatchCheck operation for the same user/object/relation combination, each containing context. 3. The contexts between those checks differ in a specific way ### Fix Upgrade to OpenFGA v1.14.0 ### Acknowledgement OpenFGA would like to thank @bugbunny-research for the discovery and detailed report.
How to fix CVE-2026-34972
To remediate CVE-2026-34972, upgrade the affected package to a fixed version below.
- —upgrade to 1.14.0 or later
Is CVE-2026-34972 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 1.8.0, < 1.14.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.0 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |