N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2024-56323

GHSA ID

GHSA-32q6-rr98-cjqv

EPSS Score

0.23961%

CWE

CWE-285

Published

1/13/2025

Updated

1/14/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-56323

CVE-2024-56323: OpenFGA Authorization Bypass

Overview

OpenFGA v1.3.8 to v1.8.2 (Helm chart openfga-0.1.38 to openfga-0.2.19, docker v1.3.8 to v.1.8.2) are vulnerable to authorization bypass when certain Check and ListObject calls are executed.

Am I Affected?

You are affected by this authorization bypass vulnerability if you are using OpenFGA v1.3.8 to v1.8.2, specifically under the following conditions:

Calling Check API or ListObjects with a model that uses conditions, and
OpenFGA is configured with caching enabled (OPENFGA_CHECK_QUERY_CACHE_ENABLED), and
Check API call or ListObjects API calls contain contextual tuples that include conditions.

Fix

Upgrade to v1.8.3. This upgrade is backwards compatible.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-56323

CVE-2024-56323:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2024-56323

GHSA ID

GHSA-32q6-rr98-cjqv

EPSS Score

0.23961%

CWE

CWE-285

Published

1/13/2025

Updated

1/14/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/openfga/openfga	go	>= 1.3.8, < 1.8.3	1.8.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability manifests in Check/ListObjects API handlers when three conditions converge: 1) conditional models, 2) caching enabled, and 3) contextual tuples with conditions. The core issue lies in cache key generation not accounting for conditional contextual tuples. The Server.Check and Server.ListObjects methods are the entry points for these API operations and would be responsible for cache key construction. The high confidence comes from the vulnerability's direct association with these endpoints' caching implementations and the documented fix version indicating core handler modifications.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-56323: OpenFGA Authorization Bypass

Overview

Am I Affected?

Fix

CVE-2024-56323:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

N/A

N/A

Basic Information

Basic Information

CVE-2024-56323: OpenFGA Authorization Bypass

Overview

Am I Affected?

Fix

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI