Nixpkgs security tracker
NIXPKGS-2026-1908
GitHub issue
published 14 hours ago
OpenFGA: Cache-key delimiter injection in openfga/openfga shared-iterator and v2 iterator caches enables intra-store authorization-decision poisoning
Permalink
CVE-2026-48096
5.0 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): High (H)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): Low (L)
- Integrity (I): Low (L)
- Availability (A): Low (L)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): High (H)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): Low (L)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): Low (L)
- Modified Availability (MA): Low (L)
by @LeSuisse Activity log
- Created suggestion
-
@LeSuisse
ignored
3 packages
- openfga-cli
- python313Packages.openfga-sdk
- python314Packages.openfga-sdk
- @LeSuisse accepted
- @LeSuisse published on GitHub
OpenFGA: Cache-key delimiter injection in openfga/openfga shared-iterator and v2 iterator caches enables intra-store authorization-decision poisoning
OpenFGA is an authorization/permission engine built for developers. Prior to version 1.16.0, when iterator caching is enabled, two distinct check requests can produce the same cache key, leading to OpenFGA reusing an earlier cached result for a subsequent request. This issue has been patched in version 1.16.0.
References
-
https://github.com/openfga/openfga/security/advisories/GHSA-8396-jffm-qx4w x_refsource_CONFIRM
-
https://github.com/openfga/openfga/releases/tag/v1.16.0 x_refsource_MISC
Affected products
openfga
- ==< 1.16.0
Matching in nixpkgs
Ignored packages (3)
pkgs.openfga-cli
Cross-platform CLI to interact with an OpenFGA server
pkgs.python313Packages.openfga-sdk
Fine-Grained Authorization solution for Python
Package maintainers
-
@jlesquembre José Luis Lafuente <jl@lafuente.me>