CVE-2025-46331
OpenFGA Authorization Bypass
In short
OpenFGA versions 1.3.6 to 1.8.10 have a flaw that allows attackers to bypass authorization checks through specially crafted Check and ListObject requests, potentially gaining unauthorized access to protected resources.
Technical detail
OpenFGA versions 1.3.6 through 1.8.10 contain an authorization bypass vulnerability in the Check and ListObject API endpoints (CWE-284). Attackers can exploit this flaw by sending specially crafted requests to circumvent permission validation, allowing unauthorized access to resources without proper authorization evaluation. The vulnerability affects Helm chart versions up to 0.2.28 and Docker images up to v1.8.10.
Summary generated and translated by AI from the official description.
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.10 to v1.3.6 (Helm chart <= openfga-0.2.28, docker <= v.1.8.10) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. This issue has been patched in version 1.8.11.
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H
Affected products
openfga · openfgaWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →