CVE-2025-25196

Name of the Vulnerable Software and Affected Versions OpenFGA versions prior to 1.8.5

Description The issue concerns an authorization bypass vulnerability when certain Check and ListObject calls are executed. This vulnerability affects users of OpenFGA under specific conditions, including calling the Check API or ListObjects with a model that has a relation directly assignable to both public access and userset with the same type, and when a type-bound public access tuple is assigned to an object but the userset tuple is not. The Check request's user field must be a userset that has the same type as the type-bound public access tuple's user type. Users are advised to upgrade to a newer version to resolve the issue.

Recommendations To resolve the issue, upgrade to version 1.8.5, which is backwards compatible. As a temporary workaround, consider restricting access to the Check API and ListObjects endpoints until the upgrade is applied. Avoid using the user field in the Check request with a userset that has the same type as the type-bound public access tuple's user type until the issue is resolved.