Overview
During our internal security assessment, it was discovered that OpenFGA versions v0.2.3 and prior are vulnerable to authorization bypass under certain conditions.
Am I affected?
You are affected by this vulnerability if you are using openfga/openfga version v0.2.3 and you added a tuple with a wildcard (*) assigned to a tupleset relation (the right hand side of a ‘from’ statement).
How to fix that?
Upgrade to version v0.2.4.
Backward Compatibility
This update is not backward compatible with any authorization model that uses wildcard on a tupleset relation.
Overview
During our internal security assessment, it was discovered that OpenFGA versions
v0.2.3and prior are vulnerable to authorization bypass under certain conditions.Am I affected?
You are affected by this vulnerability if you are using
openfga/openfgaversionv0.2.3and you added a tuple with a wildcard (*) assigned to a tupleset relation (the right hand side of a ‘from’ statement).How to fix that?
Upgrade to version
v0.2.4.Backward Compatibility
This update is not backward compatible with any authorization model that uses wildcard on a tupleset relation.