CVE-2022-39341

OpenFGA Authorization Bypass

CVSS 5.9 MEDIUMEPSS 0.9%CWE-285

In short

OpenFGA, an authorization system, had a flaw where wildcards in permission rules could be bypassed, allowing unauthorized access. This matters because it undermines the security of applications relying on OpenFGA to protect sensitive operations.

Technical detail

OpenFGA versions before 0.2.4 contain an authorization bypass vulnerability affecting tupleset relations with wildcard (`*`) definitions in the authorization model. Attackers can exploit this to circumvent intended access controls without requiring special privileges or authentication bypass, leading to unauthorized access to protected resources.

Summary generated and translated by AI from the official description.

OpenFGA is an authorization/permission engine. Versions prior to version 0.2.4 are vulnerable to authorization bypass under certain conditions. Users who have wildcard (`*`) defined on tupleset relations in their authorization model are vulnerable. Version 0.2.4 contains a patch for this issue.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Affected products

openfga · openfga

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/openfga/openfga/commit/b466769cc100b2065047786578718d313f52695b https://github.com/openfga/openfga/releases/tag/v0.2.4 https://github.com/openfga/openfga/security/advisories/GHSA-vj4m-83m8-xpw5