OpenFGA Authorization Bypass
Overview OpenFGA v1.5.7 and v1.5.8 are vulnerable to authorization bypass when calling Check API with a model that uses but not and from expressions and a userset. For example, with a model like the following model schema 1.1 type user type role relations define assignee: [user] type permission relations define assignee: assignee from role define role: [role] type job relations define can_read: [permission#assignee] define problem: [user] but not can_read and …