OpenFGA Authorization Bypass

Overview OpenFGA v1.8.0 to v1.8.12 ( openfga-0.2.16 <= Helm chart <= openfga-0.2.30, v1.8.0 <= docker <= v.1.8.12) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Am I Affected? If you are using OpenFGA v1.8.0 to v1.8.12, specifically under the following conditions, you are affected by this authorization bypass vulnerability: – Calling Check API or ListObjects with an authorization model that has a relationship directly assignable by both type bound public access and userset, and – There are check or list object queries with contextual tuples for the relationship that can be directly assignable by both type bound public access and userset, and – Those contextual tuples’s user field is an userset, and – Type bound public access tuples are not assigned to the relationship Fix Upgrade to v1.8.13. This upgrade is backwards compatible. Acknowledgments Okta would like to thank @udyvish for discovering this…Read More