CVE-2026-34972 — OpenFGA is a high-performance and flexible authorization/permission engine…
Image via opengraph.githubassets.com
🚨 CVE-2026-34972 OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. From 1.8.0 to 1.13.1, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can resul
OpenFGA Improper Policy Enforcement
github.com
What This Means For You
- Affects Google ecosystem — review Chrome/Android/GCP deployments.
- New vulnerability disclosed — verify if your stack is exposed.
Related ATT&CK Techniques
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-34972 | Auth Bypass | OpenFGA versions 1.8.0 to 1.13.1. Vulnerability in BatchCheck calls with multiple checks for the same object, relation, and user combination leading to improper policy enforcement. |
| CVE-2026-34972 | Misconfiguration | OpenFGA versions 1.8.0 to 1.13.1. Improper policy enforcement due to specific conditions in BatchCheck calls. |
Source & Attribution
| Source Platform | Telegram |
| Channel | CVE Notify |
| Channel ID | 1129491012 |
| Message ID | 158222 |
| Published | April 07, 2026 at 00:26 UTC |
| Original Link | https://github.com/openfga/openfga/security/advisories/GH... |
This content was curated and summarized by Shimi's Cyber World for informational purposes. It is not copied or republished in full. All intellectual property rights remain with the original author and source.
Believe this infringes your rights? Submit a takedown request.
Found this interesting? Follow us to stay ahead.
Share