Overview

OpenFGA v1.4.0 to v1.11.0 (openfga-0.1.34 <= Helm chart <= openfga-0.2.48, v.1.4.0 <= docker <= v.1.11.0) are vulnerable to improper policy enforcement when certain Check and ListObject calls are executed.

Am I Affected?

You are affected by this vulnerability if you meet the following preconditions:

• You are using OpenFGA v1.4.0 to v1.11.0
• The model has a a relation directly assignable by a type bound pubic access with condition
• The same relation is not assignable by a type bound public access without condition
• You have a type assigned for the same relation that is a type bound public access without condition

Fix

Upgrade to v1.11.1. This upgrade is backwards compatible.

Workaround

None