OpenFGA v1.5.7 and v1.5.8 are vulnerable to authorization bypass when calling Check API with a model that uses but not
and from
expressions and a userset.
This fix is backward compatible.
{ "nvd_published_at": "2024-08-12T13:38:35Z", "cwe_ids": [ "CWE-285", "CWE-863" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-08-09T21:23:26Z" }