OpenFGA Authorization Bypass Vulnerability

A vulnerability allowing authorization bypass has been identified in OpenFGA versions 1.8.0 prior to 1.8.13. This issue arises when certain Check API and ListObjects calls are made under specific conditions, including the use of an authorization model with relationships assignable by both type-bound public access and userset, and the absence of type-bound public access tuples for the relationship. The vulnerability allows for incorrect authorization decisions, potentially leading to unauthorized access to objects or actions.

Impact

Exploitation of this vulnerability can lead to unauthorized access or actions being granted, bypassing the intended authorization controls.

Reproduction

To reproduce this vulnerability, first ensure that an OpenFGA authorization model is in use that includes relationships assignable by both type-bound public access and userset. Then, execute Check API or ListObjects calls that include contextual tuples for the relationship, ensuring that the user field of these tuples is an userset and that no type-bound public access tuples are assigned to the relationship. Under these conditions, the authorization bypass will occur, allowing unauthorized access or actions to be mistakenly granted.

Remediation

Users are advised to upgrade to OpenFGA version 1.8.13, which addresses this vulnerability. This upgrade is backwards compatible.