CVE-2025-46331 MEDIUM

CVE-2025-46331: OpenFGA Authorization Bypass

Vendor Openfga
Product openfga
Weakness CWE-284
Published April 30, 2025
Last update May 1, 2025

CVSS base score

5.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H

What the vulnerability does

01Description

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.10 to v1.3.6 (Helm chart <= openfga-0.2.28, docker <= v.1.8.10) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. This issue has been patched in version 1.8.11.

Key dates

02Disclosure timeline

April 30, 2025 CVE published
May 1, 2025 Record updated