MEDIUM 5.0

GHSA-8396-jffm-qx4w

OpenFGA has cache-key delimiter injection in shared-iterator and v2 iterator that caches enables intra-store authorization-decision poisoning

Details

### Description In OpenFGA, when iterator caching is enabled, two distinct check requests can produce the same cache key, leading to OpenFGA reusing an earlier cached result for a subsequent request.

### Preconditions This applies if the following preconditions are present:

- FGA runs with SharedIteratorCache enabled, - FGA runs with ListObjectsIteratorCache enabled.

### Fix Upgrade to version 1.16.0 or greater.

### Acknowledgements OpenFGA would like to thank @j4xT for the discovery and the detailed report.

Are you affected?

Enter the version of the package you're using.

Affected packages

Go / github.com/openfga/openfga

Introduced in: 0 Fixed in: 1.16.0

Fix go get github.com/openfga/openfga@v1.16.0

References

https://github.com/openfga/openfga/security/advisories/GHSA-8396-jffm-qx4w [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2026-48096 [ADVISORY]
https://github.com/openfga/openfga [PACKAGE]
https://github.com/openfga/openfga/releases/tag/v1.16.0 [WEB]