OpenFGA Authorization Bypass Vulnerability

A vulnerability allowing authorization bypass has been identified in OpenFGA versions 1.3.6 prior to 1.8.11, as well as in the OpenFGA Helm chart versions 0.1.36 prior to 0.2.29. This vulnerability arises when certain Check and ListObject API calls are made, particularly with authorization models that have tuple cycles. The issue is exacerbated if the Check query cache is enabled, as multiple requests involving the tuple cycle can lead to inconsistent authorization checks.

Impact

Exploitation of this vulnerability can lead to unauthorized access or permissions, allowing users to bypass intended authorization controls.

Reproduction

To reproduce this vulnerability, use OpenFGA versions 1.3.6 prior to 1.8.11 or the OpenFGA Helm chart versions 0.1.36 prior to 0.2.29. Enable the Check query cache and make Check or ListObjects API calls with an authorization model that has a tuple cycle. The vulnerability can be observed when the response to these calls is cached, despite indicating a cycle, which should have prevented the result from being saved.

Remediation

Users can upgrade to OpenFGA version 1.8.11 or the OpenFGA Helm chart version 0.2.29 to address this vulnerability.