Headline
GHSA-2c64-vmv2-hgfc: OpenFGA Improper Policy Enforcement
Overview
OpenFGA v1.4.0 to v1.11.0 (openfga-0.1.34 <= Helm chart <= openfga-0.2.48, v.1.4.0 <= docker <= v.1.11.0) are vulnerable to improper policy enforcement when certain Check and ListObject calls are executed.
Am I Affected?
You are affected by this vulnerability if you meet the following preconditions:
- You are using OpenFGA v1.4.0 to v1.11.0
- The model has a a relation directly assignable by a type bound pubic access with condition
- The same relation is not assignable by a type bound public access without condition
- You have a type assigned for the same relation that is a type bound public access without condition
Fix
Upgrade to v1.11.1. This upgrade is backwards compatible.
Workaround
None
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-64751
OpenFGA Improper Policy Enforcement
Moderate severity GitHub Reviewed Published Nov 20, 2025 in openfga/openfga
Package
gomod github.com/openfga/openfga (Go)
Affected versions
>= 1.4.0, <= 1.11.0
Overview
OpenFGA v1.4.0 to v1.11.0 (openfga-0.1.34 <= Helm chart <= openfga-0.2.48, v.1.4.0 <= docker <= v.1.11.0) are vulnerable to improper policy enforcement when certain Check and ListObject calls are executed.
Am I Affected?
You are affected by this vulnerability if you meet the following preconditions:
- You are using OpenFGA v1.4.0 to v1.11.0
- The model has a a relation directly assignable by a type bound pubic access with condition
- The same relation is not assignable by a type bound public access without condition
- You have a type assigned for the same relation that is a type bound public access without condition
Fix
Upgrade to v1.11.1. This upgrade is backwards compatible.
Workaround
None
References
- GHSA-2c64-vmv2-hgfc
- https://github.com/openfga/openfga/releases/tag/v1.11.1
Published to the GitHub Advisory Database
Nov 20, 2025