{"id":"CVE-2025-46331","summary":"OpenFGA Authorization Bypass","details":"OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.10 to v1.3.6 (Helm chart \u003c= openfga-0.2.28, docker \u003c= v.1.8.10) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. This issue has been patched in version 1.8.11.","aliases":["GHSA-w222-m46c-mgh6","GO-2025-3657"],"modified":"2026-04-10T05:28:25.603287Z","published":"2025-04-30T18:27:05.921Z","related":["CGA-69mj-9x4f-mwjm","openSUSE-SU-2025:15135-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/46xxx/CVE-2025-46331.json","cwe_ids":["CWE-284"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/46xxx/CVE-2025-46331.json"},{"type":"ADVISORY","url":"https://github.com/openfga/openfga/security/advisories/GHSA-w222-m46c-mgh6"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-46331"},{"type":"FIX","url":"https://github.com/openfga/openfga/commit/244302e7a8b979d66cc1874a3899cdff7d47862f"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openfga/helm-charts","events":[{"introduced":"f3109a38c3e11471d2bc4cf7345a612ae6f99d10"},{"fixed":"82fc58b99ee95098e4bf88dc3d90b35c86592188"}],"database_specific":{"versions":[{"introduced":"0.1.36"},{"fixed":"0.2.29"}]}}],"versions":["openfga-0.1.36","openfga-0.1.37","openfga-0.1.38","openfga-0.1.39","openfga-0.1.40","openfga-0.1.41","openfga-0.2.0","openfga-0.2.1","openfga-0.2.10","openfga-0.2.11","openfga-0.2.12","openfga-0.2.13","openfga-0.2.14","openfga-0.2.15","openfga-0.2.16","openfga-0.2.17","openfga-0.2.18","openfga-0.2.19","openfga-0.2.2","openfga-0.2.20","openfga-0.2.21","openfga-0.2.22","openfga-0.2.23","openfga-0.2.24","openfga-0.2.25","openfga-0.2.26","openfga-0.2.27","openfga-0.2.28","openfga-0.2.3","openfga-0.2.4","openfga-0.2.5","openfga-0.2.6","openfga-0.2.7","openfga-0.2.8","openfga-0.2.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-46331.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/openfga/openfga","events":[{"introduced":"e30face320888b41b9d6d5b97aed3a9dbca2cf0f"},{"fixed":"244302e7a8b979d66cc1874a3899cdff7d47862f"}]}],"versions":["v1.3.10","v1.3.6","v1.3.7","v1.3.8","v1.3.9","v1.4.0","v1.4.1","v1.4.3","v1.5.0","v1.5.1","v1.5.2","v1.5.3","v1.5.4","v1.5.5","v1.5.6","v1.5.7","v1.5.8","v1.5.9","v1.6.0","v1.6.1","v1.6.2","v1.7.0","v1.8.0","v1.8.1","v1.8.10","v1.8.2","v1.8.3","v1.8.4","v1.8.5","v1.8.6","v1.8.7","v1.8.8","v1.8.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-46331.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H"}]}