CVE-2024-56323: OpenFGA Authorization Bypass

January 13, 2025 (updated January 14, 2025)

Overview

OpenFGA v1.3.8 to v1.8.2 (Helm chart openfga-0.1.38 to openfga-0.2.19, docker v1.3.8 to v.1.8.2) are vulnerable to authorization bypass when certain Check and ListObject calls are executed.

Am I Affected?

You are affected by this authorization bypass vulnerability if you are using OpenFGA v1.3.8 to v1.8.2, specifically under the following conditions:

Calling Check API or ListObjects with a model that uses conditions, and
OpenFGA is configured with caching enabled (OPENFGA_CHECK_QUERY_CACHE_ENABLED), and
Check API call or ListObjects API calls contain contextual tuples that include conditions.

Fix

Upgrade to v1.8.3. This upgrade is backwards compatible.

References

Detect and mitigate CVE-2024-56323 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →