RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

Project: OpenFGAClear ×

OpenFGA

SecurityJun 29, 2026

v1.18.1 is a routine patch that fixes CIDR matching behavior and serialization determinism while extending an experimental flag to BatchCheck. No breaking changes or CVEs are reported, though the in_cidr fix does change matching behavior for IPv4-mapped IPv6 addresses.

  • breakingin_cidr now matches IPv4-mapped IPv6 addresses against IPv4 CIDRs

    Applies unconditionally: the in_cidr condition now normalizes IPv4-mapped IPv6 addresses (e.g. ::ffff:192.168.1.1) to their IPv4 form before matching, so they can now match IPv4 CIDRs like 192.168.1.0/24. Review any authorization models relying on in_cidr if you expect these addresses to be excluded from IPv4 ranges.

Key changes (4)
  • in_cidr condition now normalizes IPv4-mapped IPv6 addresses (RFC 4291 §2.5.5.2) to their IPv4 equivalent, so ::ffff:192.168.1.1 matches 192.168.1.0/24
  • Adds diagnostic logging in weighted_graph_check, Expand, and ListUsers to flag models where a future v2 Check resolution might diverge from v1; no operator action required now
  • Experimental weighted_graph_check flag now extends to BatchCheck, evaluating each item with the weighted graph algorithm and falling back per-item to the standard algorithm on non-terminal errors
  • Authorization model serialization to serialized_protobuf now uses deterministic proto marshaling, fixing inconsistent stored bytes for models with map-keyed type definitions
Source

OpenFGA

SecurityJun 17, 2026

v1.18.0 patches two auth security bugs and fixes MySQL case-sensitivity. MySQL users must plan a maintenance window before upgrading — auto-migration will lock tuple/changelog tables.

  • securitySilent OIDC audience bypass — check your auth config before upgrading

    If authn.oidc.audience was previously omitted, any validly-signed token from your trusted issuer was accepted regardless of intended audience. After upgrading, OpenFGA will refuse to start without both issuer and audience set. Verify your deployment config has authn.oidc.audience explicitly set, or the service will not come up.

  • securityPreshared key timing side-channel fixed — no action needed if you rotate keys

    The prior map lookup for preshared key auth could reveal valid key bytes via timing differences. Now fixed with constant-time comparison. No immediate action required, but if this key has been exposed to untrusted network paths for a long time, rotating the preshared key is a reasonable precaution.

  • breakingMySQL users: do not auto-migrate on startup

    Migration 008 acquires a shared lock on tuple and changelog tables. On large datasets this can block Write operations for an extended period. Read the operator runbook at the collation_migrations.md guide, schedule a maintenance window, and run the migration manually rather than letting OpenFGA auto-migrate on startup.

Key changes (4)
  • MySQL schema migration 008 changes collation to enforce case-sensitive identifier comparison; acquires a shared lock on tuple and changelog tables during migration
  • Preshared key auth now uses constant-time comparison, closing a timing side-channel that could leak information about valid key bytes
  • OIDC config validation tightened: OpenFGA now refuses to start if authn.oidc.issuer or authn.oidc.audience is missing, preventing silent JWT audience bypass
  • MySQL identifier comparison now matches Postgres and SQLite behavior (case-sensitive)
Source

OpenFGA

SecurityJun 5, 2026

v1.17.1 is a focused patch fixing two correctness bugs: stale cache reads and broken continuation tokens with pipe characters in type names.

  • securityStale cache reads could return incorrect authorization decisions — patch now

    The iterator cache was using write time rather than query start time as the LastModified anchor, meaning cached entries could persist beyond the intended validity window and serve stale data. In an authorization system, a stale 'allow' decision is a real risk. This is fixed in v1.17.1; upgrade immediately if you run with caching enabled.

  • breakingAudit type names with '|' if pagination was silently breaking

    If your FGA model uses type names containing the pipe character '|', continuation tokens were being deserialized incorrectly. This could cause ListObjects or similar paginated calls to return incomplete or wrong results without throwing obvious errors. Upgrade to v1.17.1 and re-test any pagination flows that touch those type names.

  • enhancementv2Check throttling fallback removed — verify your error handling

    Previously, v2Check would fall back to v1 behavior under throttling or validation errors, masking the actual problem. Now it surfaces those errors directly. If your application swallows check errors silently or assumes fallback behavior, you may start seeing errors that were previously hidden. Test under load before rolling out to production.

Key changes (5)
  • Fixed stale-read bug in iterator cache: query start time now anchors the LastModified timestamp, preventing cached entries from surviving longer than intended
  • Fixed continuation token deserializer failing when type names contain the '|' character, which would silently break pagination
  • v2Check no longer falls back to v1 behavior when throttling or validation errors occur, enforcing stricter execution semantics
  • Go toolchain bumped to 1.26.4 and grpc-health-probe updated to v0.4.52
  • Caching documentation updated to reflect current behavior
Source

OpenFGA

SecurityMay 20, 2026

v1.16.0 patches a critical OIDC token rejection bug after key rotation, fixes two correctness bugs in experimental weighted_graph_check, and updates Go to address stdlib CVEs.

  • securityUpdate immediately if using OIDC auth or any Go stdlib CVEs apply

    Two separate security concerns here. First, the OIDC JWKS refresh fix means deployments that rotate issuer keys were silently rejecting valid tokens — if you've seen 401s after a key rotation, this is why. Second, the Go 1.24.3 update patches stdlib vulnerabilities; review the Go 1.24.3 release notes to assess exposure. Upgrade to v1.16.0 promptly in both cases.

  • breakingweighted_graph_check users: validate results after upgrading

    Two correctness bugs were fixed in the experimental weighted_graph_check feature. Cache key collisions and false-negative caching from cancelled goroutines mean prior versions could return incorrect 'false' results. If you're running this in any meaningful capacity, run a validation pass against known-good authorization scenarios after upgrading to confirm behavior is now correct.

  • enhancementConfigure PingTimeout to catch datastore connectivity issues faster

    The new PingTimeout and PingRetryMaxElapsedTime config options give you explicit control over how long OpenFGA waits to confirm datastore connectivity at startup and during health checks. Set these to values aligned with your SLOs — tighter timeouts surface infrastructure problems earlier instead of letting the server spin up against a degraded datastore.

Key changes (5)
  • OIDC authentication now refreshes JWKS on unknown 'kid', fixing valid token rejections after issuer key rotation (rate-limited to once per minute)
  • Go toolchain updated to 1.24.3 to address Go standard library security vulnerabilities
  • Fixed two bugs in experimental weighted_graph_check: cache key collisions in union resolution and false negatives from cancelled in-flight goroutines
  • weighted_graph_check now falls back to the standard algorithm instead of erroring when v2Check fails
  • New datastore ping timeout configs: PingTimeout and PingRetryMaxElapsedTime for better connection health control
Source

OpenFGA

SecurityMay 6, 2026

v1.15.1 is a stability patch fixing two serious runtime bugs — a potential deadlock in Check and a semaphore leak under context cancellation — plus a cache collision in the experimental weighted graph check.

  • securityCache key collision in `weighted_graph_check` could return incorrect authorization results

    If you're running the experimental `weighted_graph_check` feature, the cache collision bug means Check could return stale or wrong results for relationships in unions with direct types, wildcards, TTU paths, or intersections. This is an authorization correctness issue — wrong answers on permission checks. Upgrade before relying on this feature in any environment where correctness matters. If you can't upgrade immediately, disable the experimental feature flag.

  • breakingUpgrade immediately — deadlock and semaphore leak bugs affect production stability

    Two bugs here can quietly degrade running services. The deadlock in Check (message streams held open on error) can starve request processing over time. The semaphore leak in the bounded tuple reader under context cancellation means goroutine/resource exhaustion under load or timeout-heavy workloads. Neither requires config changes — just upgrade. If you've seen unexplained Check hangs or increasing resource pressure after cancellations, these are the culprits.

  • enhancementListObjects now handles short-circuit errors correctly

    A subtle bug was causing expected errors (non-fatal path short-circuits) to bubble up incorrectly in ListObjects responses. If you've seen unexpected errors returned from ListObjects queries that should have silently short-circuited, this fix resolves that. No action needed beyond upgrading — but worth re-validating ListObjects behavior in your test suite after the upgrade.

Key changes (5)
  • Fixed potential panic in command error handling
  • Fixed deadlock risk in Check by ensuring message streams close on error instead of hanging indefinitely
  • Fixed semaphore token leaks in the bounded tuple reader during context cancellation
  • Fixed cache key collisions in experimental `weighted_graph_check` affecting unions with multiple branches
  • Fixed incorrect error propagation in ListObjects when a path short-circuits
Source

OpenFGA

SecurityApr 3, 2026

v1.14.0 fixes a potential deadlock in ListObjects, improves intersection algorithm performance, and adds BatchCheck caching — plus a SQL serialization bug fix that affects PostgreSQL users.

  • securityPostgreSQL users: apply the SQL serialization fix

    The TupleOperation serialization and pgx.ErrNoRows fixes could cause silent data inconsistencies or incorrect error handling in PostgreSQL deployments. If you're running OpenFGA on Postgres, this fix alone justifies upgrading. Verify your tuple write/read behavior post-upgrade.

  • breakingReview CVE-2026-33729 and upgrade immediately

    The changelog explicitly references CVE-2026-33729. The release notes don't detail the full scope, but a CVE update in a patch/minor release demands immediate attention. Upgrade to v1.14.0 now and audit your deployment's exposure before the CVE details become widely known.

  • enhancementListObjects deadlock fix is critical for high-concurrency workloads

    A deadlock in the ListObjects pipeline is the kind of bug that only shows up under real production load. If you use ListObjects extensively — especially with concurrent callers — this fix is essential. After upgrading, stress-test ListObjects under your typical concurrency patterns to confirm stability.

  • enhancementBatchCheck caching reduces authorization latency at scale

    If your application calls BatchCheck repeatedly with overlapping tuples or conditions, the new caching layer will cut latency and backend load. No configuration changes are mentioned, so the benefit should be automatic — but monitor cache behavior through the new tuple iterator query stats to validate the improvement in your environment.

Key changes (5)
  • Fixed a potential deadlock in the ListObjects pipeline algorithm, improving reliability under concurrent load
  • Intersection algorithm rewritten for lower latency and reduced memory usage
  • BatchCheck results now cached, reducing redundant authorization checks
  • SQL TupleOperation serialization bug and pgx.ErrNoRows error handling fixed for PostgreSQL backends
  • Tuple iterator query stats added for better observability into database query behavior
Source

OpenFGA

SecurityMar 23, 2026

OpenFGA v1.13.0 ships AuthZen v1.0 support, separates Check v1/v2 caches, and hardens the resolver pipeline against panics.

  • securityUpgrade to stop resolver panics from taking down the server

    Unhandled panics in the pipeline base resolver previously had the potential to crash the OpenFGA process entirely. The fix converts these to returned errors, keeping the server running. If you've seen unexpected OpenFGA restarts under complex authorization graph evaluations, this is likely why. Upgrade promptly — this is a reliability fix with meaningful availability implications.

  • breakingSeparate Check v1/v2 caches may change cache hit behavior — review your cache sizing

    Previously, Check v1 and v2 shared a single cache, which could lead to cross-contamination but also inadvertent cache hits. Now they're isolated. If you're running both API versions concurrently, your effective cache hit rate may drop and memory usage could shift. Revisit your cache capacity configuration after upgrading and monitor cache hit ratios in your observability stack.

  • enhancementEvaluate AuthZen v1.0 for cross-system authorization interop

    AuthZen v1.0 is the emerging standard for authorization API interoperability across CNCF and broader ecosystem tools. If you're integrating OpenFGA with other policy engines or building a multi-system authz layer, test the new AuthZen endpoint now. Early adoption means your integration patterns align with where the ecosystem is heading rather than needing a retrofit later.

Key changes (4)
  • AuthZen v1.0 standard implemented — OpenFGA now speaks the CNCF authorization interoperability spec
  • Separate cache layers for Check v1 and Check v2 APIs, preventing cross-version cache pollution
  • Panics in the pipeline's base resolver are now caught and returned as errors instead of crashing the process
  • List-objects span aggregation improved — message stats per sender now roll up into a single trace span for cleaner observability
Source

OpenFGA

SecurityMar 19, 2026

v1.12.1 is a focused maintenance release fixing OTLP endpoint URI parsing and improving ListObjects pipeline internals with Go native channels.

  • breakingOTLP https:// scheme now forces TLS regardless of your config flag

    If you set OTEL_EXPORTER_OTLP_ENDPOINT with an https:// scheme, TLS will be enabled even if trace.otlp.tls.enabled is false. Audit your observability configs before upgrading — any environment using https:// endpoints with TLS explicitly disabled will now have TLS enabled. This is almost certainly the correct behavior, but verify your collector setup accepts TLS connections.

  • enhancementOTLP endpoint URIs with schemes finally work — clean up your workarounds

    Previously, passing a full URI like http://host:4317 to OTEL_EXPORTER_OTLP_ENDPOINT would break because the scheme wasn't stripped before reaching the gRPC exporter. If you've been working around this by omitting the scheme, you can now use standard URI formats. Update your deployment configs and remove any manual scheme-stripping logic.

  • enhancementListObjects performance improvement — no action needed, just upgrade

    Replacing the custom Pipe implementation with Go native channels reduces internal complexity and can improve throughput for ListObjects calls under concurrent load. No API changes, no config changes needed. The tuple validation refactor compounds this. If you're running OpenFGA at scale with heavy ListObjects usage, this patch is worth taking.

Key changes (4)
  • ListObjects pipeline now uses Go native channels instead of a custom Pipe implementation — cleaner concurrency, better debuggability
  • Tuple validation and manipulation functions refactored for better performance under load
  • grpc-go bumped to v1.79.3 and grpc-health-probe to v0.4.47 — dependency hygiene
  • OTEL_EXPORTER_OTLP_ENDPOINT now correctly handles URIs with schemes like http:// or https://, stripping the scheme before passing to gRPC exporter
Source