CVE-2025-48371

Name of the Vulnerable Software and Affected Versions OpenFGA versions 1.8.0 through 1.8.12

Description OpenFGA is an authorization/permission engine. The issue arises when certain Check and ListObject calls are executed under specific conditions. These conditions include: calling Check API or ListObjects with an authorization model that has a relationship directly assignable by both type bound public access and userset; check or list object queries with contextual tuples for the relationship that can be directly assignable by both type bound public access and userset; those contextual tuples’ user field is an userset; and type bound public access tuples are not assigned to the relationship.

Recommendations For OpenFGA versions 1.8.0 through 1.8.12, users should upgrade to version 1.8.13 to receive a patch, as this upgrade is backwards compatible.