OpenFGA Caching Vulnerability in Condition Evaluation Checks

A vulnerability exists in OpenFGA versions prior to 1.13.1, where models using conditions with caching enabled can lead to incorrect cache key generation. This allows OpenFGA to mistakenly reuse cached results from previous check requests for different requests. Users are impacted if their model's relations depend on condition evaluations and caching is active.

Impact

This vulnerability can cause incorrect authorization decisions by reusing cached results from different check requests, potentially leading to unauthorized access or actions.

Reproduction

To reproduce this vulnerability, create a model in OpenFGA that includes relations relying on condition evaluations. Ensure that caching is enabled. Then, perform two check requests that should be evaluated separately but are instead processed with the same cached result due to the flawed cache key generation. This can be verified by observing the authorization decisions made by OpenFGA, which may incorrectly allow or deny access based on the reused cached result.

Remediation

Users should upgrade to OpenFGA version 1.13.1, which includes a patch for this vulnerability. Instructions for downloading the latest version are available on the OpenFGA GitHub releases page.