github.com/openfga/openfga
Go16 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting github.com/openfga/openfgapage 1 of 1
- CVE-2022-23542HIGHCVSS 7.7EG 7.7✓ Fixed in 0.3.12022-12-20
OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. During an internal security assessment, it was discovered that OpenFGA version 0.3.0 is vulnerable to authorization bypass under certain co…
- CVE-2022-39340MEDIUMCVSS 5.3EG 5.3✓ Fixed in 0.2.42022-10-25
OpenFGA is an authorization/permission engine. Prior to version 0.2.4, the `streamed-list-objects` endpoint was not validating the authorization header, resulting in disclosure of objects in the store. Users `openfga/openfga` versions 0.2.…
- CVE-2022-39341MEDIUMCVSS 5.9EG 5.9✓ Fixed in 0.2.42022-10-25
OpenFGA is an authorization/permission engine. Versions prior to version 0.2.4 are vulnerable to authorization bypass under certain conditions. Users who have wildcard (`*`) defined on tupleset relations in their authorization model are vu…
- CVE-2022-39342MEDIUMCVSS 5.9EG 5.9✓ Fixed in 0.2.42022-10-25
OpenFGA is an authorization/permission engine. Versions prior to version 0.2.4 are vulnerable to authorization bypass under certain conditions. Users whose model has a relation defined as a tupleset (the right hand side of a ‘from’ sta…
- CVE-2022-39352MEDIUMCVSS 4.8EG 4.8✓ Fixed in 0.2.52022-11-08
OpenFGA is a high-performance authorization/permission engine inspired by Google Zanzibar. Versions prior to 0.2.5 are vulnerable to authorization bypass under certain conditions. You are affected by this vulnerability if you added a tuple…
- CVE-2023-35933MEDIUMCVSS 5.9EG 5.9✓ Fixed in 1.1.12023-06-26
OPenFGA is an open source authorization/permission engine built for developers. OpenFGA versions v1.1.0 and prior are vulnerable to a DoS attack when Check and ListObjects calls are executed against authorization models that contain circul…
- CVE-2023-40579MEDIUMCVSS 6.5EG 6.5✓ Fixed in 1.3.12023-08-25
OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. Some end users of OpenFGA v1.3.0 or earlier are vulnerable to authorization bypass when calling the ListObjects API. The vulnerability affe…
- CVE-2023-43645MEDIUMCVSS 5.9EG 5.9✓ Fixed in 1.3.22023-09-27
OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA is vulnerable to a denial of service attack when certain Check calls are executed against authorization models that contain circula…
- CVE-2023-45810MEDIUMCVSS 5.3EG 5.3✓ Fixed in 1.3.42023-10-17
OpenFGA is a flexible authorization/permission engine built for developers and inspired by Google Zanzibar. Affected versions of OpenFGA are vulnerable to a denial of service attack. When a number of `ListObjects` calls are executed, in so…
- CVE-2024-23820MEDIUMCVSS 5.3EG 5.3✓ Fixed in 1.4.32024-01-26
OpenFGA, an authorization/permission engine, is vulnerable to a denial of service attack in versions prior to 1.4.3. In some scenarios that depend on the model and tuples used, a call to `ListObjects` may not release memory properly. So w…
- CVE-2024-31452HIGHCVSS 8.1EG 8.1✓ Fixed in 1.5.32024-04-16
OpenFGA is a high-performance and flexible authorization/permission engine. Some end users of OpenFGA v1.5.0 or later are vulnerable to authorization bypass when calling Check or ListObjects APIs. You are very likely affected if your model…
- CVE-2024-42473HIGHCVSS 7.5EG 7.5✓ Fixed in 1.5.92024-08-12
OpenFGA is an authorization/permission engine. OpenFGA v1.5.7 and v1.5.8 are vulnerable to authorization bypass when calling Check API with a model that uses `but not` and `from` expressions and a userset. Users should downgrade to v1.5.6 …
- CVE-2026-33729CRITICALCVSS 9.8EG 9.8✓ Fixed in 1.13.12026-03-27
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. In versions prior to 1.13.1, under specific conditions, models using conditions with caching enabled can resul…
- CVE-2026-34972MEDIUMCVSS 5.0EG 5.0✓ Fixed in 1.14.02026-04-06
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. From 1.8.0 to 1.13.1, under specific conditions, BatchCheck calls with multiple checks sent for the same objec…
- CVE-2026-40293MEDIUMCVSS 6.5EG 6.5✓ Fixed in 1.14.02026-04-17
OpenFGA is an authorization/permission engine built for developers. In versions 0.1.4 through 1.13.1, when OpenFGA is configured to use preshared-key authentication with the built-in playground enabled, the local server includes the presha…
- CVE-2026-41131MEDIUMCVSS 5.0EG 5.0✓ Fixed in 1.14.12026-04-22
OpenFGA is an authorization/permission engine built for developers. Prior to version 1.14.1, in specific scenarios, models using conditions with caching enabled can result in two different check requests producing the same cache key. This …
Check whether github.com/openfga/openfga is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for github.com/openfga/openfga CVEs against the assets you own.
Start Free Scan →