CVE-2024-31452
OpenFGA Authorization Bypass
In short
OpenFGA versions 1.5.0 and later have a flaw that allows attackers to bypass permission checks when using exclusion or intersection rules (like 'allow A but not B'). This means unauthorized users could gain access to resources they shouldn't be able to see.
Technical detail
CVE-2024-31452 affects OpenFGA's Check and ListObjects APIs when authorization models employ exclusion or intersection operators. An unauthenticated attacker can craft requests that bypass the intended permission logic, potentially gaining unauthorized access to restricted resources. The vulnerability is resolved in v1.5.3.
Summary generated and translated by AI from the official description.
OpenFGA is a high-performance and flexible authorization/permission engine. Some end users of OpenFGA v1.5.0 or later are vulnerable to authorization bypass when calling Check or ListObjects APIs. You are very likely affected if your model involves exclusion (e.g. `a but not b`) or intersection (e.g. `a and b`). This vulnerability is fixed in v1.5.3.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
openfga · openfgaWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →