Improper input validation in Openfga

CVE-2026-33729

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. In versions prior to 1.13.1, under specific conditions, models using conditions with caching enabled can resul…

Vulnerability class: Drupalgeddon 2 (CVE-2018-7600)

EPSS: 0.000 (6.0th percentile) — read the EPSS interpretation.

Affected products

Openfga — versions < 1.13.1

Weakness classification (CWE)

References

https://github.com/openfga/openfga/security/advisories/GHSA-h6c8-cww8-35hf (x_refsource_CONFIRM)
https://github.com/openfga/openfga/commit/049b50ccd2cc7e163bd897f3d17a7b859ad146f8 (x_refsource_MISC)
https://github.com/openfga/openfga/releases/tag/v1.13.1 (x_refsource_MISC)