Headline

GHSA-g4v5-6f5p-m38j: OpenFGA Authorization Bypass

Overview OpenFGA v1.8.4 or previous (Helm chart < openfga-0.2.22, docker < v.1.8.5) are vulnerable to authorization bypass when certain Check and ListObject calls are executed.

Am I Affected? If you are using OpenFGA v1.8.4 or previous, specifically under the following conditions, you are affected by this authorization bypass vulnerability:

Calling Check API or ListObjects with a model that has a relation directly assignable to both public access AND userset with the same type, and
A type bound public access tuple is assigned to an object, and
userset tuple is not assigned to the same object, and
Check request’s user field is a userset that has the same type as the type bound public access tuple’s user type

Fix Upgrade to v1.8.5. This upgrade is backwards compatible.

1 day ago

ghsa

Open in Source

#vulnerability #git #auth #docker

GitHub Advisory Database
GitHub Reviewed
CVE-2025-25196

OpenFGA Authorization Bypass

Moderate severity GitHub Reviewed Published Feb 19, 2025 in openfga/openfga • Updated Feb 19, 2025

Package

gomod github.com/openfga/openfga (Go)

Affected versions

<= 1.8.4

Overview
OpenFGA v1.8.4 or previous (Helm chart < openfga-0.2.22, docker < v.1.8.5) are vulnerable to authorization bypass when certain Check and ListObject calls are executed.

Am I Affected?
If you are using OpenFGA v1.8.4 or previous, specifically under the following conditions, you are affected by this authorization bypass vulnerability:

Calling Check API or ListObjects with a model that has a relation directly assignable to both public access AND userset with the same type, and
A type bound public access tuple is assigned to an object, and
userset tuple is not assigned to the same object, and
Check request’s user field is a userset that has the same type as the type bound public access tuple’s user type

Fix
Upgrade to v1.8.5. This upgrade is backwards compatible.

References