216.73.217.22

CVE-2026-24851

· Published 06/02/2026 18:15 · Modified 06/02/2026 21:57

Labels: CVE-2026-24851 2026-02-06CVE-2026-24851CWE-863[email protected]

Essential information

Published
06/02/2026 18:15
Modified
06/02/2026 21:57
Author
Creator
CVSS
5.8 MEDIUM (v3) 5.8 MEDIUM (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.5 to v1.11.2 ( openfga-0.2.22<= Helm chart <= openfga-0.2.51, v.1.8.5 <= docker <= v.1.11.2) are vulnerable to improper policy enforcement when certain Check calls are executed. The vulnerability requires a model that has a a relation directly assignable by a type bound public access and assignable by type bound non-public access, a tuple assigned for the relation that is a type bound public access, a tuple assigned for the same object with the same relation that is not type bound public access, and a tuple assigned for a different object that has an object ID lexicographically larger with the same user and relation which is not type bound public access. This vulnerability is fixed in v1.11.3.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
openfga / openfga cpe:2.3:a:openfga:openfga:1.8.5-1.11.2:*:*:*:*:*:*:*
openfga / openfga cpe:2.3:a:openfga:openfga:1.11.3:*:*:*:*:*:*:*
openfga / openfga helm chart cpe:2.3:a:openfga:openfga_helm_chart:0.2.22-0.2.51:*:*:*:*:*:*:*
openfga / openfga docker cpe:2.3:a:openfga:openfga_docker:1.8.5-1.11.2:*:*:*:*:*:*:*

References