CVE-2023-40579

Name of the Vulnerable Software and Affected Versions OpenFGA versions 1.3.0 and earlier

Description The issue affects OpenFGA, an authorization/permission engine, where some end users of versions 1.3.0 or earlier are vulnerable to authorization bypass when calling the "ListObjects" API endpoint. This means the API sometimes returns more objects than it should. The vulnerability affects customers using ListObjects with specific models, particularly those containing expressions of type rel1 from type1.

Recommendations Update to version 1.3.1, as this update is backward compatible and patches the issue. As a temporary workaround, consider restricting the use of the ListObjects API endpoint with models containing expressions of type rel1 from type1 until the update is applied.