CVE-2025-64751: OpenFGA Improper Policy Enforcement

November 20, 2025 (updated November 27, 2025)

Overview

OpenFGA v1.4.0 to v1.11.0 (openfga-0.1.34 <= Helm chart <= openfga-0.2.48, v.1.4.0 <= docker <= v.1.11.0) are vulnerable to improper policy enforcement when certain Check and ListObject calls are executed.

Am I Affected?

You are affected by this vulnerability if you meet the following preconditions:

You are using OpenFGA v1.4.0 to v1.11.0
The model has a a relation directly assignable by a type bound pubic access with condition
The same relation is not assignable by a type bound public access without condition
You have a type assigned for the same relation that is a type bound public access without condition

Fix

Upgrade to v1.11.1. This upgrade is backwards compatible.

Workaround

None

References

Code Behaviors & Features

Detect and mitigate CVE-2025-64751 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →