Openfga
CVE-2024-42473
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
OpenFGA is an authorization/permission engine. OpenFGA v1.5.7 and v1.5.8 are vulnerable to authorization bypass when calling Check API with a model that uses but not and from expressions and a userset. Users should downgrade to v1.5.6 as soon as possible. This downgrade is backward compatible. As of time of publication, a patch is not available but OpenFGA's maintainers are planning a patch for inclusion in a future release.
AnalysisAI
OpenFGA is an authorization/permission engine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Incorrect Authorization (CWE-863), which allows attackers to bypass authorization checks to access restricted resources. OpenFGA is an authorization/permission engine. OpenFGA v1.5.7 and v1.5.8 are vulnerable to authorization bypass when calling Check API with a model that uses but not and from expressions and a userset. Users should downgrade to v1.5.6 as soon as possible. This downgrade is backward compatible. As of time of publication, a patch is not available but OpenFGA's maintainers are planning a patch for inclusion in a future release. Affected products include: Openfga.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Review and test authorization logic, implement consistent access control checks, use centralized authorization framework.
OPenFGA is an open source authorization/permission engine built for developers. Rated high severity (CVSS 7.5), this vul
OpenFGA is a high-performance and flexible authorization/permission engine. Rated critical severity (CVSS 9.8), this vul
OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. Rated critical sever
OpenFGA is a high-performance authorization/permission engine inspired by Google Zanzibar. Rated critical severity (CVSS
OpenFGA is an authorization/permission engine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi
OpenFGA is an authorization/permission engine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi
Improper policy enforcement in OpenFGA versions 1.8.5 through 1.11.2 (and corresponding Helm Chart and Docker releases)
OpenFGA is a flexible authorization/permission engine built for developers and inspired by Google Zanzibar. Rated high s
OpenFGA 0.1.4 through 1.13.1 discloses preshared API authentication keys in plaintext HTML responses from the unauthenti
OpenFGA, an authorization/permission engine, is vulnerable to a denial of service attack in versions prior to 1.4.3. Rat
OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. Rated medium severit
OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. Rated medium severit
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today