Nixpkgs security tracker
Untriaged
Permalink
CVE-2026-34972
5.0 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): HIGH
- Privileges required (PR): LOW
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): LOW
- Integrity impact (I): LOW
- Availability impact (A): LOW
OpenFGA's BatchCheck within-request deduplication produces incorrect authorization decisions via list-value cache-key collision
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. From 1.8.0 to 1.13.1, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in improper policy enforcement. This vulnerability is fixed in 1.14.0.
References
-
https://github.com/openfga/openfga/security/advisories/GHSA-jwvj-g8pc-cx45 x_refsource_CONFIRM
Affected products
openfga
- ==>= 1.8.0, < 1.14.0
Matching in nixpkgs
pkgs.openfga
High performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar
pkgs.openfga-cli
Cross-platform CLI to interact with an OpenFGA server
pkgs.python312Packages.openfga-sdk
Fine-Grained Authorization solution for Python
pkgs.python313Packages.openfga-sdk
Fine-Grained Authorization solution for Python
pkgs.python314Packages.openfga-sdk
Fine-Grained Authorization solution for Python
Package maintainers
-
@jlesquembre José Luis Lafuente <jl@lafuente.me>
-
@nicklewis Nick Lewis <nick@nlew.net>