CVE-2026-24851

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.5 to v1.11.2 ( openfga-0.2.22<= Helm chart <= openfga-0.2.51, v.1.8.5 <= docker <= v.1.11.2) are vulnerable to improper policy enforcement when certain Check calls are executed. The vulnerability requires a model that has a a relation directly assignable by a type bound public access and assignable by type bound non-public access, a tuple assigned for the relation that is a type bound public access, a tuple assigned for the same object with the same relation that is not type bound public access, and a tuple assigned for a different object that has an object ID lexicographically larger with the same user and relation which is not type bound public access. This vulnerability is fixed in v1.11.3.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/openfga/openfga/releases/tag/v1.11.3	Release Notes
https://github.com/openfga/openfga/security/advisories/GHSA-jq9f-gm9w-rwm9	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:openfga:helm_charts::::::openfga::*
	cpe:2.3:a:openfga:openfga::::::::

History

No history.

Information

Published : 2026-02-06 18:15

Updated : 2026-02-24 20:52

NVD link : CVE-2026-24851

Mitre link : CVE-2026-24851

CVE.ORG link : CVE-2026-24851

JSON object : View

Products Affected

openfga

openfga
helm_charts

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2026-24851", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-06T18:15:58.673", "references": [{"url": "https://github.com/openfga/openfga/releases/tag/v1.11.3", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/openfga/openfga/security/advisories/GHSA-jq9f-gm9w-rwm9", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.5 to v1.11.2 ( openfga-0.2.22<= Helm chart <= openfga-0.2.51, v.1.8.5 <= docker <= v.1.11.2) are vulnerable to improper policy enforcement when certain Check calls are executed. The vulnerability requires a model that has a a relation directly assignable by a type bound public access and assignable by type bound non-public access, a tuple assigned for the relation that is a type bound public access, a tuple assigned for the same object with the same relation that is not type bound public access, and a tuple assigned for a different object that has an object ID lexicographically larger with the same user and relation which is not type bound public access. This vulnerability is fixed in v1.11.3."}, {"lang": "es", "value": "OpenFGA es un motor de autorizaci\u00f3n/permisos de alto rendimiento y flexible, construido para desarrolladores e inspirado en Google Zanzibar. OpenFGA v1.8.5 a v1.11.2 (openfga-0.2.22<= Helm chart <= openfga-0.2.51, v.1.8.5 <= docker <= v.1.11.2) son vulnerables a una aplicaci\u00f3n de pol\u00edticas incorrecta cuando se ejecutan ciertas llamadas Check. La vulnerabilidad requiere un modelo que tenga una relaci\u00f3n directamente asignable por un acceso p\u00fablico ligado a tipo y asignable por un acceso no p\u00fablico ligado a tipo, una tupla asignada para la relaci\u00f3n que es un acceso p\u00fablico ligado a tipo, una tupla asignada para el mismo objeto con la misma relaci\u00f3n que no es un acceso p\u00fablico ligado a tipo, y una tupla asignada para un objeto diferente que tiene un ID de objeto lexicogr\u00e1ficamente mayor con el mismo usuario y relaci\u00f3n que no es un acceso p\u00fablico ligado a tipo. Esta vulnerabilidad est\u00e1 corregida en la v1.11.3."}], "lastModified": "2026-02-24T20:52:16.493", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openfga:helm_charts:*:*:*:*:*:openfga:*:*", "vulnerable": true, "matchCriteriaId": "CE16E305-94B6-4C8E-86C1-9AA98A94D1B0", "versionEndExcluding": "0.2.51", "versionStartIncluding": "0.2.22"}, {"criteria": "cpe:2.3:a:openfga:openfga:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BC329AC3-B832-4CB4-9B0D-6F503BF02915", "versionEndExcluding": "1.11.3", "versionStartIncluding": "1.8.5"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}