CVE-2025-64751

OpenFGA Improper Policy Enforcement

CVSS 5.8 MEDIUMEPSS 0.3%CWE-285

In short

OpenFGA, an authorization engine, fails to properly enforce access policies in certain permission checks. This means an application using OpenFGA might incorrectly allow or deny user access to resources due to flawed policy evaluation logic.

Technical detail

OpenFGA versions 1.4.0 through 1.11.0 contain improper policy enforcement in Check and ListObject API calls, potentially allowing authorization bypass or incorrect permission decisions. The vulnerability affects Helm chart versions openfga-0.1.34 to openfga-0.2.48 and Docker images up to v.1.11.0; remediation requires upgrading to version 1.11.1 or later.

Summary generated and translated by AI from the official description.

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.4.0 to v1.11.0 ( openfga-0.1.34 <= Helm chart <= openfga-0.2.48, v.1.4.0 <= docker <= v.1.11.0) are vulnerable to improper policy enforcement when certain Check and ListObject calls are executed. This issue has been patched in version 1.11.1.

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H

Affected products

openfga · openfga

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/openfga/openfga/releases/tag/v1.11.1 https://github.com/openfga/openfga/security/advisories/GHSA-2c64-vmv2-hgfc