What is CVE-2026-41131?

CVE-2026-41131 is a medium-severity vulnerability in Openfga, classified under Incorrect Authorization. CVSS score: 5.0/10. Published 2026-04-21.

How severe is CVE-2026-41131?

Medium severity. CVSS v3 base score is 5.0 out of 10.

Auth bypass in Openfga

CVE-2026-41131

OpenFGA is an authorization/permission engine built for developers. Prior to version 1.14.1, in specific scenarios, models using conditions with caching enabled can result in two different check requests producing the same cache key. This…

Vulnerability class: Broken Access Control

EPSS: 0.000 (14.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.0 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L.

Affected products

Openfga — versions < 1.14.1

Weakness classification (CWE)

References

https://github.com/openfga/openfga/security/advisories/GHSA-57j5-qwp2-vqp6 (x_refsource_CONFIRM)
https://github.com/openfga/openfga/releases/tag/v1.14.1 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-41131?: CVE-2026-41131 is a medium-severity vulnerability in Openfga, classified under Incorrect Authorization. CVSS score: 5.0/10. Published 2026-04-21.
How severe is CVE-2026-41131?: Medium severity. CVSS v3 base score is 5.0 out of 10.