CVE-2025-55213: OpenFGA Authorization Bypass

August 18, 2025 (updated November 10, 2025)

Overview

OpenFGA v1.9.3 to v1.9.4 ( openfga-0.2.40 <= Helm chart <= openfga-0.2.41, v1.9.3 <= docker <= v.1.9.4) are vulnerable to improper policy enforcement when certain Check and ListObject calls are executed.

Am I Affected?

You are affected by this vulnerability if you are using OpenFGA v1.9.3 to v1.9.4, specifically under the following preconditions:

Calling Check API or ListObjects with an authorization model that has a relationship directly assignable by more than 1 userset with same type, and
There are check or list object queries that rely on the above relationship, and
You have userset tuples that are assigned to the above relationship

Fix

Upgrade to v1.9.5. This upgrade is backwards compatible.

Workaround

Downgrade to v1.9.2 with enable-check-optimizations removed from OPENFGA_EXPERIMENTALS

Acknowledgments

OpenFGA would like Dominic Harries and rrozza-apolitical to thank for discovering this vulnerability.

References

Code Behaviors & Features

Detect and mitigate CVE-2025-55213 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →