Some end users of OpenFGA v1.5.0 or later are vulnerable to authorization bypass when calling Check or ListObjects APIs.
You are very likely affected if your model involves exclusion (e.g. a but not b
) or intersection (e.g. a and b
) and you have any cyclical relationships. If you are using these, please update as soon as possible.
Update to v1.5.3
This update is backward compatible.