OpenFGA Authorization Bypass (Check)

@@ -10435,4 +10435,56 @@ tests:
               user: user:jdoe
               relation: can_access
               object: deployment:1
+            expectation: false
+  - name: weight_2_more_than_one_userset_assignable
+    stages:
+      - model: |
+          model
+            schema 1.1
+          type user
+          type scope
+            relations
+              define public: [user:*]
+              define verified: [user]
+          type resource
+            relations
+              define access: [scope#public, scope#verified]
+        tuples:
+          - user: scope:A#verified
+            relation: access
+            object: resource:1
+          - user: user:*
+            relation: public
+            object: scope:A
+        checkAssertions:
+          - tuple:
+              user: user:bob
+              relation: access
+              object: resource:1
+            expectation: false
+  - name: weight_infinite_more_than_one_userset_assignable
+    stages:
+      - model: |
+          model
+            schema 1.1
+          type user
+          type scope
+            relations
+              define public: [user:*, scope#public]
+              define verified: [user, scope#verified]
+          type resource
+            relations
+              define access: [scope#public, scope#verified]
+        tuples:
+          - user: scope:A#verified
+            relation: access
+            object: resource:1
+          - user: user:*
+            relation: public
+            object: scope:A
+        checkAssertions:
+          - tuple:
+              user: user:bob
+              relation: access
+              object: resource:1
             expectation: false
\ No newline at end of file

@@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 Try to keep listed changes to a concise bulleted list of simple explanations of changes. Aim for the amount of information needed so that readers can understand where they would look in the codebase to investigate the changes' implementation, or where they would look in the documentation to understand how to make use of the change in practice - better yet, link directly to the docs and provide detailed information there. Only elaborate if doing so is required to avoid breaking changes or experimental features from ruining someone's day.
 
 ## [Unreleased]
+### Fixed
+- Do not run weight 2 optimization for cases where there are more than 1 directly assignable userset. [#2643](https://github.com/openfga/openfga/pull/2643)
 
 ## [1.9.4] - 2025-08-13
 ### Fixed

@@ -745,7 +745,10 @@ func (c *LocalChecker) checkDirect(parentctx context.Context, req *ResolveCheckR
 			userType := tuple.GetType(reqTupleKey.GetUser())
 
 			if !isUserset {
-				if typesys.UsersetUseWeight2Resolver(objectType, relation, userType, directlyRelatedUsersetTypes) {
+				if len(directlyRelatedUsersetTypes) < 2 && typesys.UsersetUseWeight2Resolver(objectType, relation, userType, directlyRelatedUsersetTypes) {
+					// If there are more than 1 directly related userset types of the same type, we cannot do userset optimization because
+					// we cannot rely on the fact that the object ID matches. Instead, we need to take into consideration
+					// on the relation as well.
 					resolver = c.weight2Userset
 					span.SetAttributes(attribute.String("resolver", "weight2"))
 				} else if typesys.UsersetUseRecursiveResolver(objectType, relation, userType) {