What is the CVSS score of CVE-2026-24851?

CVE-2026-24851 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Docker are affected by CVE-2026-24851?

A HIGH severity vulnerability (CVSS 8.8) exists in OpenFGA authorization engine that could allow attackers to bypass access controls and gain unauthorized permissions.. A patch is available.

Docker CVE-2026-24851

Q: How to fix or mitigate CVE-2026-24851?

Within 24 hours: Inventory all systems running OpenFGA and assess exposure; enable detailed logging of authorization decisions. Within 7 days: Implement network segmentation to restrict OpenFGA access to trusted applications only; conduct access control audit for anomalies. Within 30 days: Monitor vendor for patch availability; evaluate alternative authorization solutions or isolate affected systems if patch remains unavailable.

HIGH

Incorrect Authorization (CWE-863)

2026-02-06 security-advisories@github.com

GHSA-jq9f-gm9w-rwm9

Docker Red Hat Helm Charts Openfga Suse

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

CVE Published

Feb 06, 2026 - 18:15 nvd

HIGH 8.8

DescriptionNVD

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.5 to v1.11.2 ( openfga-0.2.22<= Helm chart <= openfga-0.2.51, v.1.8.5 <= docker <= v.1.11.2) are vulnerable to improper policy enforcement when certain Check calls are executed. The vulnerability requires a model that has a a relation directly assignable by a type bound public access and assignable by type bound non-public access, a tuple assigned for the relation that is a type bound public access, a tuple assigned for the same object with the same relation that is not type bound public access, and a tuple assigned for a different object that has an object ID lexicographically larger with the same user and relation which is not type bound public access. This vulnerability is fixed in v1.11.3.

AnalysisAI

Improper policy enforcement in OpenFGA versions 1.8.5 through 1.11.2 (and corresponding Helm Chart and Docker releases) allows authenticated users to bypass authorization checks through specially crafted tuple configurations that mix type-bound public and non-public access policies. An attacker with valid credentials can exploit mismatched tuple assignments to gain unauthorized access to protected resources by leveraging lexicographic object ID ordering in the authorization engine. …

RemediationAI

Within 24 hours: Inventory all systems running OpenFGA and assess exposure; enable detailed logging of authorization decisions. Within 7 days: Implement network segmentation to restrict OpenFGA access to trusted applications only; conduct access control audit for anomalies. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory