Technologyglobal✓ verified · 90%

OpenFGA has cache-key delimiter injection in shared-iterator and v2 iterator that caches enables intra-store authorization-decision poisoning

Name: OpenFGA has cache-key delimiter injection in shared-iterator and v2 iterator that caches enables intra-store authorization-decision poisoning
Start: 2026-06-11T20:28:18Z
Location: Global (internet)

When: 2026-06-11 20:28 UTC
Where: Global (internet)
Category: cyber_advisory · go

### Description In OpenFGA, when iterator caching is enabled, two distinct check requests can produce the same cache key, leading to OpenFGA reusing an earlier cached result for a subsequent request. ### Preconditions This applies if the following preconditions are present: - FGA runs with SharedIteratorCache enabled, - FGA runs with ListObjectsIteratorCache enabled. ### Fix Upgrade to version 1.16.0 or greater. ### Acknowledgements OpenFGA would like to thank @j4xT for the discovery and the detailed report.

Sources

GitHub Advisory Database ↗ · first seen 2026-06-11 20:28 UTC

Defaxon links out to the original reporting and never republishes article text.

Correlated events

Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.

No correlated events found in the current window. As more events arrive, connections form automatically.

← Back to the live map