AIKIDO-2026-10393
github.com/openfga/openfga is vulnerable to Improper Access Control
37
Low Risk
This Affects:
github.com/openfga/openfgaTL;DR
The Check reducers (union, intersection, exclusion) in internal/graph/check.go did not check for an already-cancelled parent context before creating goroutines and enqueueing work. When the request context was cancelled before a reducer ran, the reducers could still spawn nested handlers, leading to a race: the Check API could non-deterministically return "Request Cancelled" (or an error) instead of the correct allow/deny. The observed impact is that authorized users may be wrongly denied or receive an error when they should have been allowed; the race does not cause the engine to allow an unauthorized user. The fix adds an early ctx.Err() != nil guard at the entry of each reducer, mirroring the existing guard in ResolveCheck, so cancelled contexts short-circuit before goroutine creation.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
github.com/openfga/openfga is vulnerable to Improper Access Control in versions 1.0.0 - 1.11.6.
How to fix this
Upgrade the github.com/openfga/openfga library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant