RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

Project: OpenFGAClear ×

OpenFGA

SecurityJun 17, 2026

v1.18.0 patches two auth security bugs and fixes MySQL case-sensitivity. MySQL users must plan a maintenance window before upgrading — auto-migration will lock tuple/changelog tables.

  • securitySilent OIDC audience bypass — check your auth config before upgrading

    If authn.oidc.audience was previously omitted, any validly-signed token from your trusted issuer was accepted regardless of intended audience. After upgrading, OpenFGA will refuse to start without both issuer and audience set. Verify your deployment config has authn.oidc.audience explicitly set, or the service will not come up.

  • securityPreshared key timing side-channel fixed — no action needed if you rotate keys

    The prior map lookup for preshared key auth could reveal valid key bytes via timing differences. Now fixed with constant-time comparison. No immediate action required, but if this key has been exposed to untrusted network paths for a long time, rotating the preshared key is a reasonable precaution.

  • breakingMySQL users: do not auto-migrate on startup

    Migration 008 acquires a shared lock on tuple and changelog tables. On large datasets this can block Write operations for an extended period. Read the operator runbook at the collation_migrations.md guide, schedule a maintenance window, and run the migration manually rather than letting OpenFGA auto-migrate on startup.

Key changes (4)
  • MySQL schema migration 008 changes collation to enforce case-sensitive identifier comparison; acquires a shared lock on tuple and changelog tables during migration
  • Preshared key auth now uses constant-time comparison, closing a timing side-channel that could leak information about valid key bytes
  • OIDC config validation tightened: OpenFGA now refuses to start if authn.oidc.issuer or authn.oidc.audience is missing, preventing silent JWT audience bypass
  • MySQL identifier comparison now matches Postgres and SQLite behavior (case-sensitive)
Source

OpenFGA

SecurityJun 5, 2026

v1.17.1 is a focused patch fixing two correctness bugs: stale cache reads and broken continuation tokens with pipe characters in type names.

  • securityStale cache reads could return incorrect authorization decisions — patch now

    The iterator cache was using write time rather than query start time as the LastModified anchor, meaning cached entries could persist beyond the intended validity window and serve stale data. In an authorization system, a stale 'allow' decision is a real risk. This is fixed in v1.17.1; upgrade immediately if you run with caching enabled.

  • breakingAudit type names with '|' if pagination was silently breaking

    If your FGA model uses type names containing the pipe character '|', continuation tokens were being deserialized incorrectly. This could cause ListObjects or similar paginated calls to return incomplete or wrong results without throwing obvious errors. Upgrade to v1.17.1 and re-test any pagination flows that touch those type names.

  • enhancementv2Check throttling fallback removed — verify your error handling

    Previously, v2Check would fall back to v1 behavior under throttling or validation errors, masking the actual problem. Now it surfaces those errors directly. If your application swallows check errors silently or assumes fallback behavior, you may start seeing errors that were previously hidden. Test under load before rolling out to production.

Key changes (5)
  • Fixed stale-read bug in iterator cache: query start time now anchors the LastModified timestamp, preventing cached entries from surviving longer than intended
  • Fixed continuation token deserializer failing when type names contain the '|' character, which would silently break pagination
  • v2Check no longer falls back to v1 behavior when throttling or validation errors occur, enforcing stricter execution semantics
  • Go toolchain bumped to 1.26.4 and grpc-health-probe updated to v0.4.52
  • Caching documentation updated to reflect current behavior
Source

OpenFGA

SecurityJun 2, 2026

v1.17.0 hardens cache key generation against hash-flooding attacks and adds configurable OpenTelemetry trace sampling, including parent-based propagation.

  • securityUpgrade to get hash-flooding protection in cache keys

    The old string-concatenation cache key approach was vulnerable to hash-flooding attacks and key collisions. The new TLV encoding with per-process hash seeding closes both issues. There are no config changes required — just upgrade. If you run OpenFGA in a multi-tenant or public-facing setup, this is a meaningful security improvement that warrants prioritizing the upgrade.

  • enhancementConfigure parent-based trace sampling if OpenFGA runs behind an API gateway or service mesh

    Previously, OpenFGA couldn't honor upstream sampling decisions, meaning traces could be captured inconsistently across your stack. Set `OPENFGA_TRACE_SAMPLER=parentbased_always_on` (or `parentbased_traceidratio`) so OpenFGA respects the sampling decision made by the calling service. This is especially useful when OpenFGA is a downstream dependency in a larger traced system — it reduces trace noise and aligns sampling with your existing observability strategy.

Key changes (5)
  • Cache key generation switched from string concatenation to TLV binary encoding, eliminating collision risk
  • Per-process hash seeding added to cache keys to prevent hash-flooding attacks
  • New configurable trace sampler via `trace.sampler` / `OPENFGA_TRACE_SAMPLER` / `OTEL_TRACES_SAMPLER`
  • Supports all standard OTel sampling strategies including parent-based variants
  • Default trace sampler is `traceidratio`, preserving previous behavior
Source

OpenFGA

SecurityMay 20, 2026

v1.16.0 patches a critical OIDC token rejection bug after key rotation, fixes two correctness bugs in experimental weighted_graph_check, and updates Go to address stdlib CVEs.

  • securityUpdate immediately if using OIDC auth or any Go stdlib CVEs apply

    Two separate security concerns here. First, the OIDC JWKS refresh fix means deployments that rotate issuer keys were silently rejecting valid tokens — if you've seen 401s after a key rotation, this is why. Second, the Go 1.24.3 update patches stdlib vulnerabilities; review the Go 1.24.3 release notes to assess exposure. Upgrade to v1.16.0 promptly in both cases.

  • breakingweighted_graph_check users: validate results after upgrading

    Two correctness bugs were fixed in the experimental weighted_graph_check feature. Cache key collisions and false-negative caching from cancelled goroutines mean prior versions could return incorrect 'false' results. If you're running this in any meaningful capacity, run a validation pass against known-good authorization scenarios after upgrading to confirm behavior is now correct.

  • enhancementConfigure PingTimeout to catch datastore connectivity issues faster

    The new PingTimeout and PingRetryMaxElapsedTime config options give you explicit control over how long OpenFGA waits to confirm datastore connectivity at startup and during health checks. Set these to values aligned with your SLOs — tighter timeouts surface infrastructure problems earlier instead of letting the server spin up against a degraded datastore.

Key changes (5)
  • OIDC authentication now refreshes JWKS on unknown 'kid', fixing valid token rejections after issuer key rotation (rate-limited to once per minute)
  • Go toolchain updated to 1.24.3 to address Go standard library security vulnerabilities
  • Fixed two bugs in experimental weighted_graph_check: cache key collisions in union resolution and false negatives from cancelled in-flight goroutines
  • weighted_graph_check now falls back to the standard algorithm instead of erroring when v2Check fails
  • New datastore ping timeout configs: PingTimeout and PingRetryMaxElapsedTime for better connection health control
Source

OpenFGA

SecurityMay 6, 2026

v1.15.1 is a stability patch fixing two serious runtime bugs — a potential deadlock in Check and a semaphore leak under context cancellation — plus a cache collision in the experimental weighted graph check.

  • securityCache key collision in `weighted_graph_check` could return incorrect authorization results

    If you're running the experimental `weighted_graph_check` feature, the cache collision bug means Check could return stale or wrong results for relationships in unions with direct types, wildcards, TTU paths, or intersections. This is an authorization correctness issue — wrong answers on permission checks. Upgrade before relying on this feature in any environment where correctness matters. If you can't upgrade immediately, disable the experimental feature flag.

  • breakingUpgrade immediately — deadlock and semaphore leak bugs affect production stability

    Two bugs here can quietly degrade running services. The deadlock in Check (message streams held open on error) can starve request processing over time. The semaphore leak in the bounded tuple reader under context cancellation means goroutine/resource exhaustion under load or timeout-heavy workloads. Neither requires config changes — just upgrade. If you've seen unexplained Check hangs or increasing resource pressure after cancellations, these are the culprits.

  • enhancementListObjects now handles short-circuit errors correctly

    A subtle bug was causing expected errors (non-fatal path short-circuits) to bubble up incorrectly in ListObjects responses. If you've seen unexpected errors returned from ListObjects queries that should have silently short-circuited, this fix resolves that. No action needed beyond upgrading — but worth re-validating ListObjects behavior in your test suite after the upgrade.

Key changes (5)
  • Fixed potential panic in command error handling
  • Fixed deadlock risk in Check by ensuring message streams close on error instead of hanging indefinitely
  • Fixed semaphore token leaks in the bounded tuple reader during context cancellation
  • Fixed cache key collisions in experimental `weighted_graph_check` affecting unions with multiple branches
  • Fixed incorrect error propagation in ListObjects when a path short-circuits
Source

OpenFGA

SecurityApr 27, 2026

v1.15.0 brings latency improvements for complex authorization models via edge pruning, fixes a cache bug in the experimental weighted graph checker, and patches Go stdlib CVEs by upgrading to Go 1.26.2.

  • securityUpdate immediately to patch Go stdlib vulnerabilities

    This release ships Go 1.26.2, which addresses vulnerabilities in the Go standard library. If you run OpenFGA as a managed binary or container, pull the new image now. If you build from source, ensure your toolchain matches. Don't wait on this — stdlib vulns can affect TLS, HTTP parsing, and crypto paths that OpenFGA relies on.

  • enhancementRe-benchmark list objects performance on complex models

    Edge pruning in the list objects pipeline cuts unnecessary graph traversal. If your authorization model has deep or wide relationship graphs, you should see reduced p99 latency on ListObjects calls. Run your existing load tests against v1.15.0 and compare — this is a free win that requires no config changes.

  • enhancementRe-evaluate weighted_graph_check cache behavior if you hit cold-start issues

    The experimental weighted_graph_check feature was silently skipping its cache on cold start or when the cache controller was disabled, which could explain unexpected latency spikes early in pod lifecycle. The fix aligns behavior with the documented contract: zero invalidation time means use the cache. If you're using this experimental feature, test it again — behavior will differ from what you may have measured before.

Key changes (3)
  • Edge pruning added to list objects pipeline — measurable latency reduction for large, complex authorization models
  • Fixed weighted_graph_check cache being incorrectly bypassed when cache controller returns zero invalidation time (cold start or disabled state)
  • Go toolchain bumped to 1.26.2 to address Go standard library security vulnerabilities
Source

OpenFGA

SecurityApr 10, 2026

v1.14.1 patches a host-header poisoning vulnerability in AuthZEN discovery and removes a vulnerable Docker dependency, plus minor ListObjects performance gains.

  • securityPatch the AuthZEN host-header poisoning vulnerability now

    The AuthZEN well-known discovery endpoint was returning URLs built from the request's Host header. An attacker could poison this to redirect clients to a malicious endpoint. If you expose the AuthZEN discovery metadata publicly, upgrade to v1.14.1 immediately. No config change needed — the fix is automatic once upgraded, as long as authzen.baseURL is correctly set in your server config.

  • securityAudit your image builds if you ship the OpenFGA test binary

    The github.com/docker/docker package carries known CVEs and was only used in test code. Production builds are unaffected, but if your pipeline somehow includes test binaries or vendor directories in container images, verify they no longer include the vulnerable package after upgrading.

  • enhancementSet an explicit server shutdown timeout for Kubernetes workloads

    The new shutdown timeout config option lets you control how long OpenFGA waits to drain in-flight requests before exiting. Without this, abrupt shutdowns can cause request errors during pod restarts. Set this to slightly less than your Kubernetes terminationGracePeriodSeconds to ensure clean handoff.

Key changes (5)
  • Security fix: AuthZEN discovery metadata now uses configured baseURL instead of request-supplied host headers, closing a host-header poisoning attack vector
  • Removed vulnerable github.com/docker/docker test dependency, replaced with Moby client & API
  • Configurable server shutdown timeout added — useful for graceful drain in Kubernetes environments
  • ListObjects heap allocations reduced, yielding minor but real latency improvements
  • Cache key generation faster by dropping fmt usage and extending control-character sanitization to tuples, conditions, and context
Source

OpenFGA

SecurityApr 3, 2026

v1.14.0 fixes a potential deadlock in ListObjects, improves intersection algorithm performance, and adds BatchCheck caching — plus a SQL serialization bug fix that affects PostgreSQL users.

  • securityPostgreSQL users: apply the SQL serialization fix

    The TupleOperation serialization and pgx.ErrNoRows fixes could cause silent data inconsistencies or incorrect error handling in PostgreSQL deployments. If you're running OpenFGA on Postgres, this fix alone justifies upgrading. Verify your tuple write/read behavior post-upgrade.

  • breakingReview CVE-2026-33729 and upgrade immediately

    The changelog explicitly references CVE-2026-33729. The release notes don't detail the full scope, but a CVE update in a patch/minor release demands immediate attention. Upgrade to v1.14.0 now and audit your deployment's exposure before the CVE details become widely known.

  • enhancementListObjects deadlock fix is critical for high-concurrency workloads

    A deadlock in the ListObjects pipeline is the kind of bug that only shows up under real production load. If you use ListObjects extensively — especially with concurrent callers — this fix is essential. After upgrading, stress-test ListObjects under your typical concurrency patterns to confirm stability.

  • enhancementBatchCheck caching reduces authorization latency at scale

    If your application calls BatchCheck repeatedly with overlapping tuples or conditions, the new caching layer will cut latency and backend load. No configuration changes are mentioned, so the benefit should be automatic — but monitor cache behavior through the new tuple iterator query stats to validate the improvement in your environment.

Key changes (5)
  • Fixed a potential deadlock in the ListObjects pipeline algorithm, improving reliability under concurrent load
  • Intersection algorithm rewritten for lower latency and reduced memory usage
  • BatchCheck results now cached, reducing redundant authorization checks
  • SQL TupleOperation serialization bug and pgx.ErrNoRows error handling fixed for PostgreSQL backends
  • Tuple iterator query stats added for better observability into database query behavior
Source

OpenFGA

SecurityMar 23, 2026

OpenFGA v1.13.0 ships AuthZen v1.0 support, separates Check v1/v2 caches, and hardens the resolver pipeline against panics.

  • securityUpgrade to stop resolver panics from taking down the server

    Unhandled panics in the pipeline base resolver previously had the potential to crash the OpenFGA process entirely. The fix converts these to returned errors, keeping the server running. If you've seen unexpected OpenFGA restarts under complex authorization graph evaluations, this is likely why. Upgrade promptly — this is a reliability fix with meaningful availability implications.

  • breakingSeparate Check v1/v2 caches may change cache hit behavior — review your cache sizing

    Previously, Check v1 and v2 shared a single cache, which could lead to cross-contamination but also inadvertent cache hits. Now they're isolated. If you're running both API versions concurrently, your effective cache hit rate may drop and memory usage could shift. Revisit your cache capacity configuration after upgrading and monitor cache hit ratios in your observability stack.

  • enhancementEvaluate AuthZen v1.0 for cross-system authorization interop

    AuthZen v1.0 is the emerging standard for authorization API interoperability across CNCF and broader ecosystem tools. If you're integrating OpenFGA with other policy engines or building a multi-system authz layer, test the new AuthZen endpoint now. Early adoption means your integration patterns align with where the ecosystem is heading rather than needing a retrofit later.

Key changes (4)
  • AuthZen v1.0 standard implemented — OpenFGA now speaks the CNCF authorization interoperability spec
  • Separate cache layers for Check v1 and Check v2 APIs, preventing cross-version cache pollution
  • Panics in the pipeline's base resolver are now caught and returned as errors instead of crashing the process
  • List-objects span aggregation improved — message stats per sender now roll up into a single trace span for cleaner observability
Source

OpenFGA

SecurityMar 13, 2026

OpenFGA v1.12.0 improves operational reliability with automatic TLS certificate rotation, enhanced input validation, and critical race condition fixes.

  • securityUpgrade for Go stdlib vulnerability fixes

    This release addresses two Go standard library vulnerabilities (GO-2026-4603 and GO-2026-4601). Plan your upgrade to eliminate these security risks in production deployments.

  • enhancementConfigure gRPC message size limits

    Review your current message sizes and set appropriate limits using the new configuration option to prevent resource exhaustion attacks and improve system stability.

  • enhancementBenefit from automatic certificate rotation

    If you're using cert-manager or similar certificate rotation tools, this release eliminates connection failures during certificate updates. Test your certificate rotation process after upgrading to verify the improvement.

Key changes (5)
  • gRPC message size limits now configurable for better resource control
  • HTTP gateway automatically handles TLS certificate rotation without connection failures
  • Tuple validation rejects unicode control characters and null bytes for security
  • Race condition in check reducers fixed to prevent non-deterministic execution
  • Cache metrics corrected to prevent indefinite upward drift on overwrites
Source

OpenFGA

SecurityFeb 23, 2026

OpenFGA v1.11.6 enables ListObjects pipeline by default for improved performance, upgrades gRPC client implementation, and addresses a security vulnerability in grpc-health-probe.

  • securityUpdate deployments using grpc-health-probe

    If you're using grpc-health-probe for health checks in your OpenFGA deployments, this update addresses CVE-2025-68121. Verify your container images are pulling the latest version and update any standalone grpc-health-probe binaries.

  • enhancementTest ListObjects pipeline performance impact

    The new default ListObjects pipeline algorithm may improve query performance but could change behavior. Monitor your ListObjects API calls after upgrade and be prepared to disable it with listObjects-pipeline-enabled=false if you encounter issues.

Key changes (3)
  • ListObjects pipeline algorithm now enabled by default (can be disabled with listObjects-pipeline-enabled=false)
  • Migration from deprecated grpc.DialContext to grpc.NewClient for grpc-gateway client
  • Security update: grpc-health-probe bumped to v0.4.45 addressing CVE-2025-68121
Source