OpenFGA Authorization Bypass
Description
OpenFGA is an authorization/permission engine. OpenFGA versions 1.8.0 through 1.8.12 (corresponding to Helm chart openfga-0.2.16 through openfga-0.2.30 and docker 1.8.0 through 1.8.12) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Users are affected under four specific conditions: First, calling Check API or ListObjects with an authorization model that has a relationship directly assignable by both type bound public access and userset; second, there are check or list object queries with contextual tuples for the relationship that can be directly assignable by both type bound public access and userset; third, those contextual tuples’s user field is an userset; and finally, type bound public access tuples are not assigned to the relationship. Users should upgrade to version 1.8.13 to receive a patch. The upgrade is backwards compatible.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/openfga/openfgaGo | >= 1.8.0, < 1.8.13 | 1.8.13 |
Affected products
41- osv-coords40 versionspkg:apk/chainguard/grafana-11.2pkg:apk/chainguard/grafana-11.2-oci-compatpkg:apk/chainguard/grafana-11.3pkg:apk/chainguard/grafana-11.3-oci-compatpkg:apk/chainguard/grafana-11.4pkg:apk/chainguard/grafana-11.4-oci-compatpkg:apk/chainguard/grafana-11.5pkg:apk/chainguard/grafana-11.5-oci-compatpkg:apk/chainguard/grafana-11.6pkg:apk/chainguard/grafana-11.6-oci-compatpkg:apk/chainguard/grafana-12.0pkg:apk/chainguard/grafana-12.0-oci-compatpkg:apk/chainguard/grafana-fips-11.2pkg:apk/chainguard/grafana-fips-11.2-oci-compatpkg:apk/chainguard/grafana-fips-11.3pkg:apk/chainguard/grafana-fips-11.3-oci-compatpkg:apk/chainguard/grafana-fips-11.4pkg:apk/chainguard/grafana-fips-11.4-oci-compatpkg:apk/chainguard/grafana-fips-11.5pkg:apk/chainguard/grafana-fips-11.5-oci-compatpkg:apk/chainguard/grafana-fips-11.6pkg:apk/chainguard/grafana-fips-11.6-oci-compatpkg:apk/chainguard/grafana-fips-12.0pkg:apk/chainguard/grafana-fips-12.0-oci-compatpkg:apk/chainguard/grafana-oci-compatpkg:apk/wolfi/grafana-11.2pkg:apk/wolfi/grafana-11.2-oci-compatpkg:apk/wolfi/grafana-11.3pkg:apk/wolfi/grafana-11.3-oci-compatpkg:apk/wolfi/grafana-11.4pkg:apk/wolfi/grafana-11.4-oci-compatpkg:apk/wolfi/grafana-11.5pkg:apk/wolfi/grafana-11.5-oci-compatpkg:apk/wolfi/grafana-11.6pkg:apk/wolfi/grafana-11.6-oci-compatpkg:apk/wolfi/grafana-12.0pkg:apk/wolfi/grafana-12.0-oci-compatpkg:apk/wolfi/grafana-oci-compatpkg:golang/github.com/openfga/openfgapkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
< 11.2.10-r1+ 39 more
- (no CPE)range: < 11.2.10-r1
- (no CPE)range: < 11.2.10-r1
- (no CPE)range: < 11.3.7-r1
- (no CPE)range: < 11.3.7-r1
- (no CPE)range: < 11.4.5-r1
- (no CPE)range: < 11.4.5-r1
- (no CPE)range: < 11.5.5-r1
- (no CPE)range: < 11.5.5-r1
- (no CPE)range: < 11.6.2-r1
- (no CPE)range: < 11.6.2-r1
- (no CPE)range: < 12.0.1-r2
- (no CPE)range: < 12.0.1-r2
- (no CPE)range: < 11.2.10-r0
- (no CPE)range: < 11.2.10-r0
- (no CPE)range: < 11.3.7-r0
- (no CPE)range: < 11.3.7-r0
- (no CPE)range: < 11.4.5-r0
- (no CPE)range: < 11.4.5-r0
- (no CPE)range: < 11.5.5-r0
- (no CPE)range: < 11.5.5-r0
- (no CPE)range: < 11.6.2-r1
- (no CPE)range: < 11.6.2-r1
- (no CPE)range: < 12.0.1-r1
- (no CPE)range: < 12.0.1-r1
- (no CPE)range: < 11.2.10-r1
- (no CPE)range: < 11.2.10-r1
- (no CPE)range: < 11.2.10-r1
- (no CPE)range: < 11.3.7-r1
- (no CPE)range: < 11.3.7-r1
- (no CPE)range: < 11.4.5-r1
- (no CPE)range: < 11.4.5-r1
- (no CPE)range: < 11.5.5-r1
- (no CPE)range: < 11.5.5-r1
- (no CPE)range: < 11.6.2-r1
- (no CPE)range: < 11.6.2-r1
- (no CPE)range: < 12.0.1-r2
- (no CPE)range: < 12.0.1-r2
- (no CPE)range: < 11.2.10-r1
- (no CPE)range: >= 1.8.0, < 1.8.13
- (no CPE)range: < 0.0.20250527T204717-1.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-c72g-53hw-82q7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-48371ghsaADVISORY
- github.com/openfga/openfga/commit/e5960d4eba92b723de8ff3a5346a07f50c1379caghsax_refsource_MISCWEB
- github.com/openfga/openfga/security/advisories/GHSA-c72g-53hw-82q7ghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2025-3707ghsaWEB
News mentions
0No linked articles in our index yet.