CVE-2022-23542

Name of the Vulnerable Software and Affected Versions OpenFGA version 0.3.0

Description OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. During an internal security assessment, it was discovered that OpenFGA is vulnerable to authorization bypass under certain conditions. The issue occurs when a model using modeling language v1.1 applies a type restriction to an object, and then the model is updated by adding a new type and replacing the previous restriction. This can lead to unauthorized access.

Recommendations For OpenFGA version 0.3.0, upgrade to version 0.3.1 to fix the authorization bypass issue. This update is backward compatible.