CVE-2023-40579

OpenFGA Authorization Bypass

CVSS 6.5 MEDIUMEPSS 0.5%CWE-284

In short

OpenFGA versions 1.3.0 and earlier have a flaw in the ListObjects API that allows unauthorized access to objects in certain permission models. Attackers can bypass authorization checks when the model uses specific relationship expressions, potentially exposing data they shouldn't access.

Technical detail

The ListObjects API in OpenFGA ≤1.3.0 fails to properly enforce authorization checks when permission models contain relationship expressions of the form 'rel1 from type1'. This allows attackers to enumerate or access objects they lack permission for, bypassing intended access controls. The issue is resolved in version 1.3.1.

Summary generated and translated by AI from the official description.

OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. Some end users of OpenFGA v1.3.0 or earlier are vulnerable to authorization bypass when calling the ListObjects API. The vulnerability affects customers using `ListObjects` with specific models. The affected models contain expressions of type `rel1 from type1`. This issue has been patched in version 1.3.1.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Affected products

openfga · openfga

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/openfga/openfga/releases/tag/v1.3.1 https://github.com/openfga/openfga/security/advisories/GHSA-jcf2-mxr2-gmqp