Aaguiarz

**Name of the Vulnerable Software and Affected Versions** OpenFGA versions 1.3.0 and earlier **Description** The issue affects OpenFGA, an authorization/permission engine, where some end users of versions 1.3.0 or earlier are vulnerable to authorization bypass when calling the "ListObjects" API endpoint. This means the API sometimes returns more objects than it should. The vulnerability affects customers using `ListObjects` with specific models, particularly those containing expressions of type `rel1 from type1`. **Recommendations** Update to version 1.3.1, as this update is backward compatible and patches the issue. As a temporary workaround, consider restricting the use of the `ListObjects` API endpoint with models containing expressions of type `rel1 from type1` until the update is applied.