57 matches found
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization due to the improper handling of Check and ListObject API calls under specific conditions. An attacker can bypass authorization controls by exploiting the conditions where both type-bound public access and userset...
CVE-2025-48371 OpenFGA Authorization Bypass
OpenFGA is an authorization/permission engine. OpenFGA versions 1.8.0 through 1.8.12 corresponding to Helm chart openfga-0.2.16 through openfga-0.2.30 and docker 1.8.0 through 1.8.12 are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Users are affected...
CVE-2025-48371
OpenFGA Open Authorization bypass (CVE-2025-48371) affects versions 1.8.0–1.8.12 of OpenFGA (and corresponding Helm/dockers) where certain Check and ListObjects calls can bypass access controls under specific conditions involving relationships that can be publicly assigned and usersets, contextua...
GHSA-W222-M46C-MGH6 OpenFGA Authorization Bypass
Overview OpenFGA v1.8.10 or previous Helm chart = openfga-0.2.28, docker = v.1.8.10 are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Am I Affected? If you are using OpenFGA v1.8.10 or previous, specifically under the following conditions, you are affect...
SUSE CVE-2025-25196
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.4 Helm chart openfga-0.2.22, docker v.1.8.4 are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Users on OpenFGA...
Vulnerability of the Check API and ListObjects interface of the OpenFGA authentication system, which allows attackers to circumvent security restrictions
The vulnerability of the Check API and ListObjects interfaces of the OpenFGA authentication system is related to deficiencies in the authentication process. Exploiting this vulnerability could allow a malicious actor to bypass security restrictions while operating remotely...
GHSA-G4V5-6F5P-M38J OpenFGA Authorization Bypass
Overview OpenFGA v1.8.4 or previous Helm chart openfga-0.2.22, docker v.1.8.5 are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Am I Affected? If you are using OpenFGA v1.8.4 or previous, specifically under the following conditions, you are affected by...
CVE-2025-25196 OpenFGA Authorization Bypass
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.4 Helm chart openfga-0.2.22, docker v.1.8.4 are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Users on OpenFGA...
CVE-2024-31452
OpenFGA is a high-performance and flexible authorization/permission engine. Some end users of OpenFGA v1.5.0 or later are vulnerable to authorization bypass when calling Check or ListObjects APIs. You are very likely affected if your model involves exclusion e.g. a but not b or intersection e.g. ...
BIT-ELK-2024-43710 Kibana server-side request forgery
A server side request forgery vulnerability was identified in Kibana where the /api/fleet/healthcheck API could be used to send requests to internal endpoints. Due to the nature of the underlying request, only endpoints available over https that return JSON could be accessed. This can be carried...
CVE-2024-43710 Kibana server-side request forgery
A server side request forgery vulnerability was identified in Kibana where the /api/fleet/healthcheck API could be used to send requests to internal endpoints. Due to the nature of the underlying request, only endpoints available over https that return JSON could be accessed. This can be carried...
Authentication Bypass
github.com/openfga/openfga is vulnerable to Authorization Bypass. The vulnerability is due to improper validation of conditions and contextual tuples when using the Check API or ListObjects API, particularly when caching is enabled OPENFGACHECKQUERYCACHEENABLED, allows attackers to potentially...
CVE-2024-56323 OpenFGA Authorization Bypass
OpenFGA is an authorization/permission engine. IN OpenFGA v1.3.8 to v1.8.2 Helm chart openfga-0.1.38 to openfga-0.2.19, docker v1.3.8 to v.1.8.2 are vulnerable to authorization bypass under the following conditions: 1. calling Check API or ListObjects with a model that uses conditions, and 2...
GHSA-32Q6-RR98-CJQV OpenFGA Authorization Bypass
Overview OpenFGA v1.3.8 to v1.8.2 Helm chart openfga-0.1.38 to openfga-0.2.19, docker v1.3.8 to v.1.8.2 are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Am I Affected? You are affected by this authorization bypass vulnerability if you are using OpenFGA...
OpenFGA Authorization Bypass
Overview OpenFGA v1.3.8 to v1.8.2 Helm chart openfga-0.1.38 to openfga-0.2.19, docker v1.3.8 to v.1.8.2 are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Am I Affected? You are affected by this authorization bypass vulnerability if you are using OpenFGA...
CVE-2024-42473
OpenFGA is an authorization/permission engine. OpenFGA v1.5.7 and v1.5.8 are vulnerable to authorization bypass when calling Check API with a model that uses but not and from expressions and a userset. Users should downgrade to v1.5.6 as soon as possible. This downgrade is backward compatible. As...
GHSA-3F6G-M4HR-59H8 OpenFGA Authorization Bypass
Overview OpenFGA v1.5.7 and v1.5.8 are vulnerable to authorization bypass when calling Check API with a model that uses but not and from expressions and a userset. Fix - If you are using OpenFGA within Docker or as a Go library, as a binary, or through Docker, upgrade to v1.5.9 as soon as possibl...
OpenFGA Authorization Bypass
Overview OpenFGA v1.5.7 and v1.5.8 are vulnerable to authorization bypass when calling Check API with a model that uses but not and from expressions and a userset. Fix - If you are using OpenFGA within Docker or as a Go library, as a binary, or through Docker, upgrade to v1.5.9 as soon as possibl...
CVE-2024-42473 OpenFGA Authorization Bypass
OpenFGA is an authorization/permission engine. OpenFGA v1.5.7 and v1.5.8 are vulnerable to authorization bypass when calling Check API with a model that uses but not and from expressions and a userset. Users should downgrade to v1.5.6 as soon as possible. This downgrade is backward compatible. As...
CVE-2024-42473
OpenFGA OpenFGA v1.5.7 and v1.5.8 are affected by an authorization bypass in the Check API when using a model with the expressions but not and from in a userset. downgraded to v1.5.6 is advised (backward compatible). At time of publication, no patch was available, though maintainers planned a pat...