GHSA-MGH9-4MWP-FG55 OpenFGA Authorization Bypass

Overview OpenFGA v1.9.3 to v1.9.4 openfga-0.2.40 = Helm chart = openfga-0.2.41, v1.9.3 = docker = v.1.9.4 are vulnerable to improper policy enforcement when certain Check and ListObject calls are executed. Am I Affected? You are affected by this vulnerability if you are using OpenFGA v1.9.3 to...

SUSE CVE-2025-48371

OpenFGA is an authorization/permission engine. OpenFGA versions 1.8.0 through 1.8.12 corresponding to Helm chart openfga-0.2.16 through openfga-0.2.30 and docker 1.8.0 through 1.8.12 are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Users are affected...

CVE-2024-23820

OpenFGA, an authorization/permission engine, is vulnerable to a denial of service attack in versions prior to 1.4.3. In some scenarios that depend on the model and tuples used, a call to ListObjects may not release memory properly. So when a sufficiently high number of those calls are executed, t...

SUSE CVE-2025-25196

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.4 Helm chart openfga-0.2.22, docker v.1.8.4 are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Users on OpenFGA...

PT-2025-3267

Name of the Vulnerable Software and Affected Versions OpenFGA versions 1.3.8 through 1.8.2 Description The issue concerns an authorization bypass in OpenFGA under specific conditions, including calling Check API or ListObjects with a model that uses conditions, and OpenFGA being configured with...

GO-2022-1079 OpenFGA subject to Information Disclosure via streamed-list-objects endpoint in github.com/openfga/openfga

OpenFGA subject to Information Disclosure via streamed-list-objects endpoint in github.com/openfga/openfga...

OpenFGA Resource Management Error Vulnerability

OpenFGA is OpenFGA's high performance and flexible authorization/licensing engine built for developers and inspired by Google Zanzibar. A security vulnerability exists in OpenFGA 1.3.3 and earlier versions, which results in a denial of service DOS when too many ListObjects calls are executed...

PT-2023-29700 · Openfga · Openfga

Name of the Vulnerable Software and Affected Versions: OpenFGA versions prior to 1.3.4 Description: OpenFGA is a flexible authorization/permission engine built for developers and inspired by Google Zanzibar. Affected versions of OpenFGA are vulnerable to a denial of service attack. When a number ...

PT-2023-27517 · Openfga · Openfga

Name of the Vulnerable Software and Affected Versions: OpenFGA versions 1.3.0 and earlier Description: The issue affects OpenFGA, an authorization/permission engine, where some end users of versions 1.3.0 or earlier are vulnerable to authorization bypass when calling the "ListObjects" API endpoin...

OpenFGA subject to Information Disclosure via streamed-list-objects endpoint

Overview During our internal security assessment, it was discovered that streamed-list-objects endpoint was not validating the authorization header resulting in the disclosure of objects in the store. Am I Affected? You are affected by this vulnerability if you are using openfga/openfga version...

ecobee: Open API - AWS S3 GET Bucket (List Objects) Version 1

Summary: AWS S3 GET Bucket List Objects Version 1 API accesible Steps To Reproduce: navigate to: https://www.ecobee.com/wp-content/uploads/ Observe that you get a listbucketresponse https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGET.htmlRESTBucketGET-requests The truncated param is set...