OpenFGA Authorization Bypass
Package
Affected versions
>= 1.5.7, < 1.5.9
Patched versions
1.5.9
Description
Published to the GitHub Advisory Database
Aug 9, 2024
Reviewed
Aug 9, 2024
Published by the National Vulnerability Database
Aug 12, 2024
Last updated
Aug 14, 2024
Overview
OpenFGA v1.5.7 and v1.5.8 are vulnerable to authorization bypass when calling Check API with a model that uses
but not
andfrom
expressions and a userset.Fix
This fix is backward compatible.
References