CVE-2025-48371
OpenFGA Authorization Bypass
In short
OpenFGA, a permission system, has a flaw in versions 1.8.0 to 1.8.12 that allows someone to bypass authorization checks under specific conditions involving how permissions are defined. This means an attacker could gain access to resources they shouldn't be allowed to access.
Technical detail
An authorization bypass vulnerability exists in OpenFGA's Check and ListObjects APIs when an authorization model defines a relationship assignable by both type-bound public access and usersets, combined with contextual tuples where the user field is a userset but type-bound public access tuples are absent. The vulnerability requires specific model configuration and contextual tuple conditions to be exploited, potentially allowing unauthorized access to protected resources.
Summary generated and translated by AI from the official description.
OpenFGA is an authorization/permission engine. OpenFGA versions 1.8.0 through 1.8.12 (corresponding to Helm chart openfga-0.2.16 through openfga-0.2.30 and docker 1.8.0 through 1.8.12) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Users are affected under four specific conditions: First, calling Check API or ListObjects with an authorization model that has a relationship directly assignable by both type bound public access and userset; second, there are check or list object queries with contextual tuples for the relationship that can be directly assignable by both type bound public access and userset; third, those contextual tuples’s user field is an userset; and finally, type bound public access tuples are not assigned to the relationship. Users should upgrade to version 1.8.13 to receive a patch. The upgrade is backwards compatible.
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H