Overview OpenFGA v1.9.3 to v1.9.4 ( openfga-0.2.40 <= Helm chart <= openfga-0.2.41, v1.9.3 <= docker <= v.1.9.4) are vulnerable to improper policy enforcement when certain Check and ListObject calls are executed. Am I Affected? You are affected by this vulnerability if you are using OpenFGA v1.9.3 to v1.9.4, specifically under the following preconditions: – Calling Check API or ListObjects with an authorization model that has a relationship directly assignable by more than 1 userset with same type, and – There are check or list object queries that rely on the above relationship, and – You have userset tuples that are assigned to the above relationship Fix Upgrade to v1.9.5. This upgrade is backwards compatible. Workaround Downgrade to v1.9.2 with enable-check-optimizations removed from OPENFGA_EXPERIMENTALS Acknowledgments OpenFGA would like Dominic Harries and rrozza-apolitical to thank for discovering this…Read More