Overview
OpenFGA v1.5.7 and v1.5.8 are vulnerable to authorization bypass when calling Check API with a model that uses but not
and from
expressions and a userset.
Fix
- If you are using OpenFGA within Docker or as a Go library, as a binary, or through Docker, upgrade to v1.5.9 as soon as possible
- If using Helm chart, upgrade to 0.2.12 as soon as possible.
This fix is backward compatible.