QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2024-56323

Back to search

CVE-2024-56323

Published: Jan 13, 2025

Modified: Jan 14, 2025

PUBLISHED

Description

OpenFGA is an authorization/permission engine. IN OpenFGA v1.3.8 to v1.8.2 (Helm chart openfga-0.1.38 to openfga-0.2.19, docker v1.3.8 to v.1.8.2) are vulnerable to authorization bypass under the following conditions: 1. calling Check API or ListObjects with a model that uses [conditions](https://openfga.dev/docs/modeling/conditions), and 2. calling Check API or ListObjects API with [contextual tuples](https://openfga.dev/docs/concepts#what-are-contextual-tuples) that include conditions and 3. OpenFGA is configured with caching enabled (`OPENFGA_CHECK_QUERY_CACHE_ENABLED`). Users are advised to upgrade to v1.8.3. There are no known workarounds for this vulnerability.

VendorProductVersions

openfga

openfga

affected
>=1.3.8, <1.8.3

Weaknesses (CWE)

CWE-285

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now