CVE-2024-56323

Name of the Vulnerable Software and Affected Versions OpenFGA versions 1.3.8 through 1.8.2

Description The issue concerns an authorization bypass in OpenFGA under specific conditions, including calling Check API or ListObjects with a model that uses conditions, and OpenFGA being configured with caching enabled (OPENFGA CHECK QUERY CACHE ENABLED). This occurs when Check API or ListObjects API calls contain contextual tuples that include conditions.

Recommendations For OpenFGA versions 1.3.8 through 1.8.2, upgrade to version 1.8.3, as this upgrade is backwards compatible. As a temporary workaround, consider disabling caching by setting OPENFGA CHECK QUERY CACHE ENABLED to false until the upgrade to version 1.8.3 is possible. Avoid using conditions in models for Check API or ListObjects calls, and avoid using contextual tuples that include conditions in these API calls until the issue is resolved.