OpenFGA Authorization Bypass

@@ -7,9 +7,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 Try to keep listed changes to a concise bulleted list of simple explanations of changes. Aim for the amount of information needed so that readers can understand where they would look in the codebase to investigate the changes' implementation, or where they would look in the documentation to understand how to make use of the change in practice - better yet, link directly to the docs and provide detailed information there. Only elaborate if doing so is required to avoid breaking changes or experimental features from ruining someone's day.
 
 ## [Unreleased]
+
+## [1.8.11] - 2025-04-29
+[Full changelog](https://github.com/openfga/openfga/compare/v1.8.10...v1.8.11)
+
 ### Changed
 - Update go version to 1.24.2 [#2404](https://github.com/openfga/openfga/pull/2404)
 
+### Fixed
+- Do not save to check query cache when result indicates cycle. [CVE-2025-46331](https://github.com/openfga/openfga/security/advisories/GHSA-w222-m46c-mgh6)
+
 ## [1.8.10] - 2025-04-28
 [Full changelog](https://github.com/openfga/openfga/compare/v1.8.9...v1.8.10)
 
@@ -1266,7 +1273,8 @@ Re-release of `v0.3.5` because the go module proxy cached a prior commit of the
 - Memory storage adapter implementation
 - Early support for preshared key or OIDC authentication methods
 
-[Unreleased]: https://github.com/openfga/openfga/compare/v1.8.10...HEAD
+[Unreleased]: https://github.com/openfga/openfga/compare/v1.8.11...HEAD
+[1.8.11]: https://github.com/openfga/openfga/compare/v1.8.10...v1.8.11
 [1.8.10]: https://github.com/openfga/openfga/compare/v1.8.9...v1.8.10
 [1.8.9]: https://github.com/openfga/openfga/compare/v1.8.8...v1.8.9
 [1.8.8]: https://github.com/openfga/openfga/compare/v1.8.7...v1.8.8

@@ -187,6 +187,18 @@ func (c *CachedCheckResolver) ResolveCheck(
 		return nil, err
 	}
 
+	// when the response indicates cycle detected. The result is indeterminate because the
+	// parent of the cycle could have resolved to true. Thus, we don't save the result and let
+	// the parent handle it.
+	if resp.GetCycleDetected() {
+		span.SetAttributes(attribute.Bool("cycle_detected", true))
+		c.logger.Debug("CachedCheckResolver not saving to cache due to cycle",
+			zap.String("store_id", req.GetStoreID()),
+			zap.String("authorization_model_id", req.GetAuthorizationModelID()),
+			zap.String("tuple_key", req.GetTupleKey().String()))
+		return resp, nil
+	}
+
 	clonedResp := resp.clone()
 
 	c.cache.Set(cacheKey, &CheckResponseCacheEntry{LastModified: time.Now(), CheckResponse: clonedResp}, c.cacheTTL)

@@ -634,13 +634,14 @@ func TestCachedCheckResolver_FieldsInResponse(t *testing.T) {
 			ResolutionMetadata: ResolveCheckResponseMetadata{
 				CycleDetected: true,
 			},
-		}, nil)
+		}, nil).Times(2)
 
 	resp, err := cachedCheckResolver.ResolveCheck(context.Background(), &ResolveCheckRequest{})
 	require.NoError(t, err)
 	require.NotNil(t, resp)
 	require.True(t, resp.GetResolutionMetadata().CycleDetected)
 
+	// we expect the underlying resolve check to be called twice because we are not saving the response.
 	resp, err = cachedCheckResolver.ResolveCheck(context.Background(), &ResolveCheckRequest{})
 	require.NoError(t, err)
 	require.NotNil(t, resp)