OpenFGA Improper Policy Enforcement

基本資訊

• GHSA ID: GHSA-jq9f-gm9w-rwm9
• CVE ID: CVE-2026-24851
• 嚴重性: MEDIUM
• 發布時間: 2026-02-05T21:46:41Z
• 來源: GitHub Advisory

漏洞描述

Impact

OpenFGA v1.8.5 to v1.11.2 ( openfga-0.2.22 <= Helm chart <= openfga-0.2.51, v.1.8.5 <= docker <= v.1.11.2) are vulnerable to improper policy enforcement when certain Check calls are executed.

Affected Users

Users are affected by this vulnerability if all of the following preconditions are met:

• OpenFGA v1.8.5 to v1.11.2 is being used
• The model has a relation directly assignable by a type bound public access and assignable by type bound non-public access
• A tuple is assigned for the relation that is a type bound public access
• A tuple is assigned for the same object with the same relation that is not type bound public access
• A tuple is assigned for a different object that has an object ID lexicographically larger with the same user and relation which is not type bound public access

Fix

Upgrade to v1.11.3. This upgrade is backwards compatible.

Workaround

None

影響範圍

• go:github.com/openfga/openfga (>= 1.8.5, <= 1.11.2) → 1.11.3

CVSS 評分

• CVSS v4: 5.8 (CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H)

CWE 分類

• CWE-863: Incorrect Authorization

EPSS 評分

• EPSS: N/A

萃取備註

• 資料來源: GitHub Security Advisories Database
• 信心水準: 高(官方漏洞資料庫)
• 處理時間: 2026-02-08T07:48:02.482669