OpenFGA Authorization Bypass

Overview OpenFGA v1.9.3 to v1.9.4 openfga-0.2.40 = Helm chart = openfga-0.2.41, v1.9.3 = docker = v.1.9.4 are vulnerable to improper policy enforcement when certain Check and ListObject calls are executed. Am I Affected? You are affected by this vulnerability if you are using OpenFGA v1.9.3 to...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via improper enforcement of authorization policies in the Check and ListObject processes. Note: The users are affected under the following preconditions: - Check API or ListObjects are called with an authorizatio...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization due to the improper handling of Check and ListObject API calls under specific conditions. An attacker can bypass authorization controls by exploiting the conditions where both type-bound public access and userset...

CVE-2024-42473

OpenFGA is an authorization/permission engine. OpenFGA v1.5.7 and v1.5.8 are vulnerable to authorization bypass when calling Check API with a model that uses but not and from expressions and a userset. Users should downgrade to v1.5.6 as soon as possible. This downgrade is backward compatible. As...

Authorization Bypass

github.com/openfga/openfga is vulnerable to Authorization Bypass. The vulnerability is due to improper handling of authorization logic with 'but not' and 'from' expressions and a userset, allowing an attacker to bypass authorization checks and gain unauthorized access to resources...

OpenFGA Authorization Bypass

Overview OpenFGA v1.5.7 and v1.5.8 are vulnerable to authorization bypass when calling Check API with a model that uses but not and from expressions and a userset. Fix - If you are using OpenFGA within Docker or as a Go library, as a binary, or through Docker, upgrade to v1.5.9 as soon as possibl...

GHSA-3F6G-M4HR-59H8 OpenFGA Authorization Bypass

Overview OpenFGA v1.5.7 and v1.5.8 are vulnerable to authorization bypass when calling Check API with a model that uses but not and from expressions and a userset. Fix - If you are using OpenFGA within Docker or as a Go library, as a binary, or through Docker, upgrade to v1.5.9 as soon as possibl...

CVE-2024-42473 OpenFGA Authorization Bypass

OpenFGA is an authorization/permission engine. OpenFGA v1.5.7 and v1.5.8 are vulnerable to authorization bypass when calling Check API with a model that uses but not and from expressions and a userset. Users should downgrade to v1.5.6 as soon as possible. This downgrade is backward compatible. As...

CVE-2024-42473 OpenFGA Authorization Bypass

OpenFGA is an authorization/permission engine. OpenFGA v1.5.7 and v1.5.8 are vulnerable to authorization bypass when calling Check API with a model that uses but not and from expressions and a userset. Users should downgrade to v1.5.6 as soon as possible. This downgrade is backward compatible. As...

GHSA-3GFJ-FXX4-F22W OpenFGA Authorization Bypass

Overview During our internal security assessment, it was discovered that OpenFGA versions v0.2.4 and prior are vulnerable to authorization bypass under certain conditions. Am I Affected? You are affected by this vulnerability if you are using openfga/openfga version v0.2.4 or prior, and have tupl...