{"id":"CVE-2024-56323","summary":"OpenFGA Authorization Bypass","details":"OpenFGA is an authorization/permission engine. IN OpenFGA v1.3.8 to v1.8.2 (Helm chart openfga-0.1.38 to openfga-0.2.19, docker v1.3.8 to v.1.8.2)  are vulnerable to authorization bypass under the following conditions: 1. calling Check API or ListObjects with a model that uses [conditions](https://openfga.dev/docs/modeling/conditions), and 2. calling Check API or ListObjects API with [contextual tuples](https://openfga.dev/docs/concepts#what-are-contextual-tuples) that include conditions and 3. OpenFGA is configured with caching enabled (`OPENFGA_CHECK_QUERY_CACHE_ENABLED`). Users are advised to upgrade to v1.8.3. There are no known workarounds for this vulnerability.","aliases":["GHSA-32q6-rr98-cjqv","GO-2025-3384"],"modified":"2026-04-10T05:19:24.726363Z","published":"2025-01-13T21:33:30.556Z","related":["CGA-67j8-7fvx-q4gm","SUSE-SU-2025:0297-1","openSUSE-SU-2025:14653-1"],"database_specific":{"cwe_ids":["CWE-285"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/56xxx/CVE-2024-56323.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/56xxx/CVE-2024-56323.json"},{"type":"ADVISORY","url":"https://github.com/openfga/openfga/security/advisories/GHSA-32q6-rr98-cjqv"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56323"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openfga/helm-charts","events":[{"introduced":"5ea6fef65deec4ffc992cc6abeea326c01b62b0c"},{"fixed":"10a041ea58c1ddfe8a52fc8fb7ceb76641de1dcf"}],"database_specific":{"versions":[{"introduced":"0.1.38"},{"fixed":"0.2.19"}]}}],"versions":["openfga-0.1.38","openfga-0.1.39","openfga-0.1.40","openfga-0.1.41","openfga-0.2.0","openfga-0.2.1","openfga-0.2.10","openfga-0.2.11","openfga-0.2.12","openfga-0.2.13","openfga-0.2.14","openfga-0.2.15","openfga-0.2.16","openfga-0.2.17","openfga-0.2.18","openfga-0.2.2","openfga-0.2.3","openfga-0.2.4","openfga-0.2.5","openfga-0.2.6","openfga-0.2.7","openfga-0.2.8","openfga-0.2.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-56323.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/openfga/openfga","events":[{"introduced":"0bd6e1bf76e6043213b95d19923db9ccf50ab10d"},{"fixed":"21757d53bc3e6b3cef4d4679f20d92f80e92bb84"}]}],"versions":["v1.3.10","v1.3.8","v1.3.9","v1.4.0","v1.4.1","v1.4.3","v1.5.0","v1.5.1","v1.5.2","v1.5.3","v1.5.4","v1.5.5","v1.5.6","v1.5.7","v1.5.8","v1.5.9","v1.6.0","v1.6.1","v1.6.2","v1.7.0","v1.8.0","v1.8.1","v1.8.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-56323.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H"}]}