CVE-2024-31452

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-31452

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-31452.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-31452

Aliases

Published

2024-04-16T21:40:58Z

Modified

2025-10-22T18:42:01.078969Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

OpenFGA Authorization Bypass

Details

OpenFGA is a high-performance and flexible authorization/permission engine. Some end users of OpenFGA v1.5.0 or later are vulnerable to authorization bypass when calling Check or ListObjects APIs. You are very likely affected if your model involves exclusion (e.g. a but not b) or intersection (e.g. a and b). This vulnerability is fixed in v1.5.3.

Database specific

{
    "cwe_ids": [
        "CWE-863"
    ]
}

References

Affected packages

Git / github.com/openfga/openfga

Affected ranges

Type: GIT
Repo: https://github.com/openfga/openfga
Events: Introduced

61b87fb6cd234261308f82fda253c062d2264906

Fixed

ebf39989ec19c8c3d8a7646e308bcffca5748874

Affected versions

v1.*

v1.5.0

v1.5.1

v1.5.2