CVE-2026-48096
MediumCVSS 5.0Exploitation Probability (EPSS)
Low risk3th percentile — higher than 3% of all known CVEs
Summary
OpenFGA, an authorization engine, prior to version 1.16.0, had an issue with iterator caching where two distinct check requests could produce the same cache key. This led to the reuse of an earlier cached result for a subsequent request.
Risk Assessment
Organizations may be exposed to unauthorized access as results from earlier requests could be improperly used in new contexts.
Recommendation
It is recommended to upgrade OpenFGA to version 1.16.0 or later to mitigate this vulnerability.
Original NVD description (English source)
OpenFGA is an authorization/permission engine built for developers. Prior to version 1.16.0, when iterator caching is enabled, two distinct check requests can produce the same cache key, leading to OpenFGA reusing an earlier cached result for a subsequent request. This issue has been patched in version 1.16.0.

