Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 57fdcd2ea2cf · 2026-03-26T17:23:36.000Z
GHSA-h6c8-cww8-35hf GHSA-h8w2-rv57-vc6f
diff --git a/advisories/github-reviewed/2026/03/GHSA-h6c8-cww8-35hf/GHSA-h6c8-cww8-35hf.json b/advisories/github-reviewed/2026/03/GHSA-h6c8-cww8-35hf/GHSA-h6c8-cww8-35hf.json
@@ -0,0 +1,67 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-h6c8-cww8-35hf",
+  "modified": "2026-03-26T17:21:50Z",
+  "published": "2026-03-26T17:21:50Z",
+  "aliases": [
+    "CVE-2026-33729"
+  ],
+  "summary": "OpenFGA has an Authorization Bypass through cached keys",
+  "details": "### Description\nIn OpenFGA, under specific conditions, models using conditions with caching enabled can result in two different check requests producing the same cache key. This can result in OpenFGA reusing an earlier cached result for a different request.\n\n### Am I Affected?\nUsers are affected if the following preconditions are met:\n1. The model has relations which rely on condition evaluation.\n1. Caching is enabled.\n\n### Fix\nUpgrade to OpenFGA v1.13.1.\n\n### Acknowledgement\nOpenFGA would like to thank @Amemoyoi for the discovery and responsible disclosure.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/openfga/openfga"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.13.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openfga/openfga/security/advisories/GHSA-h6c8-cww8-35hf"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openfga/openfga/commit/049b50ccd2cc7e163bd897f3d17a7b859ad146f8"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openfga/openfga"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openfga/openfga/releases/tag/v1.13.1"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1289",
+      "CWE-20",
+      "CWE-345"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-26T17:21:50Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-h8w2-rv57-vc6f/GHSA-h8w2-rv57-vc6f.json b/advisories/github-reviewed/2026/03/GHSA-h8w2-rv57-vc6f/GHSA-h8w2-rv57-vc6f.json
@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-h8w2-rv57-vc6f",
+  "modified": "2026-03-26T17:22:54Z",
+  "published": "2026-03-26T17:22:53Z",
+  "aliases": [],
+  "summary": "splunk-otel-javaagent: Unsafe deserialization in RMI instrumentation may lead to Remote Code Execution",
+  "details": "In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. An attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability:\n1. Splunk Distribution of OpenTelemetry Java is attached as a Java agent (`-javaagent`)\n2. An RMI endpoint is network-reachable (e.g. JMX remote port, an RMI registry, or any application-exported RMI service)\n3. A gadget-chain-compatible library is present on the classpath\n\n### Impact\nArbitrary remote code execution with the privileges of the user running the instrumented JVM.\n\n### Recommendation\nUpgrade to version 2.26.1 or later.\n\n### Workarounds\nSet the following system property to disable the RMI integration:\n\n```\n-Dotel.instrumentation.rmi.enabled=false\n```\n\n### References\n[Advisory in OpenTelemetry Instrumentation for Java](https://github.com/open-telemetry/opentelemetry-java-instrumentation/security/advisories/GHSA-xw7x-h9fj-p2c7)",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "com.splunk:splunk-otel-javaagent"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.26.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/open-telemetry/opentelemetry-java-instrumentation/security/advisories/GHSA-xw7x-h9fj-p2c7"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/signalfx/splunk-otel-java/security/advisories/GHSA-h8w2-rv57-vc6f"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/signalfx/splunk-otel-java"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1395",
+      "CWE-502"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-26T17:22:53Z",
+    "nvd_published_at": null
+  }
+}
