CVE-2024-56323

Description

### Overview OpenFGA v1.3.8 to v1.8.2 (Helm chart openfga-0.1.38 to openfga-0.2.19, docker v1.3.8 to v.1.8.2) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. ### Am I Affected? You are affected by this authorization bypass vulnerability if you are using OpenFGA v1.3.8 to v1.8.2, specifically under the following conditions: 1. Calling Check API or ListObjects with a model that uses [conditions](https://openfga.dev/docs/modeling/conditions), and 2. OpenFGA is configured with caching enabled (`OPENFGA_CHECK_QUERY_CACHE_ENABLED`), and 3. Check API call or ListObjects API calls contain [contextual tuples](https://openfga.dev/docs/concepts#what-are-contextual-tuples) that include conditions. ### Fix Upgrade to v1.8.3. This upgrade is backwards compatible.

Affected packages (2)

• Go/github.com/openfga/openfga>= 1.3.8, < 1.8.3
• Go/github.com/openfga/openfga>= 1.3.8, < 1.8.3

CVSS scores

References (4)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-56323
• PATCHhttps://github.com/openfga/openfga
• WEBhttps://github.com/openfga/openfga/security/advisories/GHSA-32q6-rr98-cjqv
• WEBhttps://pkg.go.dev/vuln/GO-2025-3384