Authorization Bypass Vulnerability in OpenFGA Engine
CVE-2024-56323
Currently unrated
What is CVE-2024-56323?
OpenFGA, an authorization and permission engine, is exposed to an authorization bypass vulnerability. This issue affects versions 1.3.8 through 1.8.2 (including Helm chart openfga-0.1.38 to openfga-0.2.19 and Docker versions v1.3.8 to v1.8.2) under specific conditions. It is triggered when the Check API or ListObjects API is called with a model utilizing conditions. Additionally, if these APIs are invoked with contextual tuples that include conditions while caching is enabled (OPENFGA_CHECK_QUERY_CACHE_ENABLED), the vulnerability may be exploited. Users should upgrade to version 1.8.3 as there are currently no known workarounds.