CVE
CVE-2025-64751
OpenFGA Improper Policy Enforcement
Overview
OpenFGA v1.4.0 to v1.11.0 (openfga-0.1.34 <= Helm chart <= openfga-0.2.48, v.1.4.0 <= docker <= v.1.11.0) are vulnerable to improper policy enforcement when certain Check and ListObject calls are executed.
Am I Affected?
You are affected by this vulnerability if you meet the following preconditions:
- You are using OpenFGA v1.4.0 to v1.11.0
- The model has a a relation directly assignable by a type bound pubic access with condition
- The same relation is not assignable by a type bound public access without condition
- You have a type assigned for the same relation that is a type bound public access without condition
Fix
Upgrade to v1.11.1. This upgrade is backwards compatible.
Workaround
None
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
5.8
-
4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
-
Related Resources
No items found.
References
https://github.com/openfga/openfga/security/advisories/GHSA-2c64-vmv2-hgfc, https://nvd.nist.gov/vuln/detail/CVE-2025-64751, https://github.com/openfga/openfga, https://github.com/openfga/openfga/releases/tag/v1.11.1
Basic Information
Ecosystem
