CVE-2024-56323

OpenFGA Authorization Bypass

CVSS 5.8 MEDIUMEPSS 0.4%CWE-285

In short

OpenFGA, an authorization system, has a flaw where it incorrectly caches permission decisions when using advanced features like conditions and contextual data. An attacker could exploit this to bypass permission checks and gain unauthorized access to resources.

Technical detail

CVE-2024-56323 is an authorization bypass in OpenFGA v1.3.8–v1.8.2 affecting Check/ListObjects APIs when conditions and contextual tuples are used simultaneously with query caching enabled. The vulnerability stems from improper cache handling of conditional authorization logic, allowing attackers to reuse cached positive decisions for unauthorized access requests. Mitigation requires upgrading to v1.8.3 or disabling the check query cache.

Summary generated and translated by AI from the official description.

OpenFGA is an authorization/permission engine. IN OpenFGA v1.3.8 to v1.8.2 (Helm chart openfga-0.1.38 to openfga-0.2.19, docker v1.3.8 to v.1.8.2) are vulnerable to authorization bypass under the following conditions: 1. calling Check API or ListObjects with a model that uses [conditions](https://openfga.dev/docs/modeling/conditions), and 2. calling Check API or ListObjects API with [contextual tuples](https://openfga.dev/docs/concepts#what-are-contextual-tuples) that include conditions and 3. OpenFGA is configured with caching enabled (`OPENFGA_CHECK_QUERY_CACHE_ENABLED`). Users are advised to upgrade to v1.8.3. There are no known workarounds for this vulnerability.

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H

Affected products

openfga · openfga

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/openfga/openfga/security/advisories/GHSA-32q6-rr98-cjqv