Openfga
CVE-2024-31452
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
OpenFGA is a high-performance and flexible authorization/permission engine. Some end users of OpenFGA v1.5.0 or later are vulnerable to authorization bypass when calling Check or ListObjects APIs. You are very likely affected if your model involves exclusion (e.g. a but not b) or intersection (e.g. a and b). This vulnerability is fixed in v1.5.3.
AnalysisAI
OpenFGA is a high-performance and flexible authorization/permission engine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.
Technical ContextAI
This vulnerability is classified as Incorrect Authorization (CWE-863), which allows attackers to bypass authorization checks to access restricted resources. OpenFGA is a high-performance and flexible authorization/permission engine. Some end users of OpenFGA v1.5.0 or later are vulnerable to authorization bypass when calling Check or ListObjects APIs. You are very likely affected if your model involves exclusion (e.g. a but not b) or intersection (e.g. a and b). This vulnerability is fixed in v1.5.3. Affected products include: Openfga.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Review and test authorization logic, implement consistent access control checks, use centralized authorization framework.
OPenFGA is an open source authorization/permission engine built for developers. Rated high severity (CVSS 7.5), this vul
OpenFGA is an authorization/permission engine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi
OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. Rated critical sever
OpenFGA is a high-performance authorization/permission engine inspired by Google Zanzibar. Rated critical severity (CVSS
OpenFGA is an authorization/permission engine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi
OpenFGA is an authorization/permission engine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi
Improper policy enforcement in OpenFGA versions 1.8.5 through 1.11.2 (and corresponding Helm Chart and Docker releases)
OpenFGA is a flexible authorization/permission engine built for developers and inspired by Google Zanzibar. Rated high s
OpenFGA 0.1.4 through 1.13.1 discloses preshared API authentication keys in plaintext HTML responses from the unauthenti
OpenFGA, an authorization/permission engine, is vulnerable to a denial of service attack in versions prior to 1.4.3. Rat
OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. Rated medium severit
OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. Rated medium severit
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today