PT-2026-6646 · Openfga · Openfga
Adriantam
·
Published
2026-02-05
·
Updated
2026-03-03
·
CVE-2026-24851
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
OpenFGA versions 1.8.5 through 1.11.2
Description
OpenFGA is an authorization/permission engine. Versions 1.8.5 through 1.11.2 are susceptible to improper policy enforcement during specific
Check calls. This occurs when a model includes a relation directly assignable by a type bound public access and assignable by type bound non-public access, a tuple assigned for the relation that is a type bound public access, a tuple assigned for the same object with the same relation that is not type bound public access, and a tuple assigned for a different object that has an object ID lexicographically larger with the same user and relation which is not type bound public access.Recommendations
Upgrade to version 1.11.3.
Exploit
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openfga