CVE-2024-31452

Name of the Vulnerable Software and Affected Versions OpenFGA versions 1.5.0 through 1.5.2

Description The issue concerns an authorization bypass when calling Check or ListObjects APIs in OpenFGA. Users are likely affected if their model involves exclusion (e.g., a but not b) or intersection (e.g., a and b), particularly if there are cyclical relationships.

Recommendations Update to version 1.5.3 to resolve the issue. As a temporary workaround, consider restricting the use of exclusion and intersection models, especially those with cyclical relationships, until the update is applied.