Authorization bypass vulnerability in OpenFGA
CVE-2024-42473
9.8CRITICAL
Key Information
- Vendor
- Openfga
- Status
- Openfga
- Vendor
- CVE Published:
- 12 August 2024
Summary
OpenFGA is an authorization/permission engine. OpenFGA v1.5.7 and v1.5.8 are vulnerable to authorization bypass when calling Check API with a model that uses but not
and from
expressions and a userset. Users should downgrade to v1.5.6 as soon as possible. This downgrade is backward compatible. As of time of publication, a patch is not available but OpenFGA's maintainers are planning a patch for inclusion in a future release.
Affected Version(s)
openfga = >=1.5.7, <= 1.5.8
References
CVSS V3.1
Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Collectors
NVD DatabaseMitre Database