{"id":"CVE-2025-48371","summary":"OpenFGA Authorization Bypass","details":"OpenFGA is an authorization/permission engine. OpenFGA versions 1.8.0 through 1.8.12 (corresponding to Helm chart openfga-0.2.16 through openfga-0.2.30 and docker 1.8.0 through 1.8.12) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Users are affected under four specific conditions: First, calling Check API or ListObjects with an authorization model that has a relationship directly assignable by both type bound public access and userset; second, there are check or list object queries with contextual tuples for the relationship that can be directly assignable by both type bound public access and userset; third, those contextual tuples’s user field is an userset; and finally, type bound public access tuples are not assigned to the relationship. Users should upgrade to version 1.8.13 to receive a patch. The upgrade is backwards compatible.","aliases":["GHSA-c72g-53hw-82q7","GO-2025-3707"],"modified":"2026-04-02T12:50:27.521129Z","published":"2025-05-22T22:20:37.570Z","related":["CGA-fx75-hhvm-m848","openSUSE-SU-2025:15179-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/48xxx/CVE-2025-48371.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-285"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/48xxx/CVE-2025-48371.json"},{"type":"ADVISORY","url":"https://github.com/openfga/openfga/security/advisories/GHSA-c72g-53hw-82q7"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-48371"},{"type":"FIX","url":"https://github.com/openfga/openfga/commit/e5960d4eba92b723de8ff3a5346a07f50c1379ca"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openfga/helm-charts","events":[{"introduced":"e55f0301b06433e61335e68e083dbbc07276a793"},{"fixed":"2e15dee5c11d3e502a8669490e517cac6e507c10"}],"database_specific":{"versions":[{"introduced":"0.2.16"},{"fixed":"0.2.32"}]}}],"versions":["openfga-0.2.16","openfga-0.2.17","openfga-0.2.18","openfga-0.2.19","openfga-0.2.20","openfga-0.2.21","openfga-0.2.22","openfga-0.2.23","openfga-0.2.24","openfga-0.2.25","openfga-0.2.26","openfga-0.2.27","openfga-0.2.28","openfga-0.2.29","openfga-0.2.30","openfga-0.2.31"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-48371.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/openfga/openfga","events":[{"introduced":"0cc569ff4edcfda1f949316dae1e244c5be5e963"},{"fixed":"e5960d4eba92b723de8ff3a5346a07f50c1379ca"}]}],"versions":["v1.8.0","v1.8.1","v1.8.10","v1.8.11","v1.8.12","v1.8.2","v1.8.3","v1.8.4","v1.8.5","v1.8.6","v1.8.7","v1.8.8","v1.8.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-48371.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H"}]}