Headline
GHSA-w222-m46c-mgh6: OpenFGA Authorization Bypass
Overview OpenFGA v1.8.10 or previous (Helm chart <= openfga-0.2.28, docker <= v.1.8.10) are vulnerable to authorization bypass when certain Check and ListObject calls are executed.
Am I Affected? If you are using OpenFGA v1.8.10 or previous, specifically under the following conditions, you are affected by this authorization bypass vulnerability:
- Calling Check API or ListObjects with an authorization model that has tuple cycle.
- Check query cache is enabled, and
- There are multiple check / list objects requests involving the tuple cycle within the check query TTL
Fix Upgrade to v1.8.11. This upgrade is backwards compatible.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-46331
OpenFGA Authorization Bypass
Moderate severity GitHub Reviewed Published Apr 30, 2025 in openfga/openfga • Updated Apr 30, 2025
Package
gomod github.com/openfga/openfga (Go)
Affected versions
>= 1.3.6, < 1.8.11
Overview
OpenFGA v1.8.10 or previous (Helm chart <= openfga-0.2.28, docker <= v.1.8.10) are vulnerable to authorization bypass when certain Check and ListObject calls are executed.
Am I Affected?
If you are using OpenFGA v1.8.10 or previous, specifically under the following conditions, you are affected by this authorization bypass vulnerability:
- Calling Check API or ListObjects with an authorization model that has tuple cycle.
- Check query cache is enabled, and
- There are multiple check / list objects requests involving the tuple cycle within the check query TTL
Fix
Upgrade to v1.8.11. This upgrade is backwards compatible.
References
- GHSA-w222-m46c-mgh6
- openfga/openfga@244302e
Published to the GitHub Advisory Database
Apr 30, 2025
Last updated
Apr 30, 2025