OpenFGA Improper Policy Enforcement Vulnerability in Authorization Model

A vulnerability exists in OpenFGA versions 1.9.3 to 1.9.4, including specific Helm chart and Docker package versions, due to improper policy enforcement in certain Check and ListObject API calls. This issue arises when an authorization model allows more than one directly assignable userset of the same type, leading to potential mismanagement of permissions. The vulnerability is present when userset tuples are assigned to the affected relationships and specific check or list object queries are executed.

Impact

Exploitation of this vulnerability can result in improper authorization checks, allowing users to bypass intended permission controls. This could lead to unauthorized access or actions within the application, depending on the specific authorization model and relationships involved.

Reproduction

To reproduce this vulnerability, use OpenFGA versions 1.9.3 to 1.9.4. Create an authorization model that includes a relationship directly assignable by more than one userset of the same type. Assign userset tuples to this relationship and then execute Check API or ListObject calls that rely on the affected relationship. The improper policy enforcement can be observed when the authorization checks do not behave as expected, allowing unintended access or actions.

Remediation

Upgrade OpenFGA to version 1.9.5. If using a Helm chart, ensure the chart version is between 0.2.40 and 0.2.41. For Docker, use version 1.9.5.