CVE-2024-31452 – OpenFGA versions 1.5.0 to 1.5.2 contain an auth... (How to Fix)

Q: What is the severity of CVE-2024-31452?

CVE-2024-31452 has a CVSS score of 8.1 (HIGH). OpenFGA versions 1.5.0 to 1.5.2 contain an authorization bypass vulnerability in Check and ListObjects APIs when using models with exclusion or intersection logic. This allows attackers to bypass intended permission checks and access unauthorized resources. Organizations using OpenFGA with complex authorization models involving 'but not' or 'and' operators are affected.

📋 TL;DR

OpenFGA versions 1.5.0 to 1.5.2 contain an authorization bypass vulnerability in Check and ListObjects APIs when using models with exclusion or intersection logic. This allows attackers to bypass intended permission checks and access unauthorized resources. Organizations using OpenFGA with complex authorization models involving 'but not' or 'and' operators are affected.

💻 Affected Systems

Products:

OpenFGA

Versions: v1.5.0 to v1.5.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments using authorization models with exclusion (e.g., 'a but not b') or intersection (e.g., 'a and b') operators.

📦 What is this software?

Openfga by Openfga

View all CVEs affecting Openfga →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete authorization bypass allowing unauthorized access to all protected resources, data exfiltration, privilege escalation, and lateral movement within the system.

🟠

Likely Case

Partial authorization bypass where attackers can access some resources they shouldn't have permission to, potentially exposing sensitive data or performing unauthorized actions.

🟢

If Mitigated

Limited impact with proper network segmentation, additional authentication layers, and monitoring that could detect anomalous access patterns.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires API access but is straightforward once an attacker understands the model structure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.5.3

Vendor Advisory: https://github.com/openfga/openfga/security/advisories/GHSA-8cph-m685-6v6r

Restart Required: Yes

Instructions:

1. Backup current configuration and data. 2. Stop OpenFGA service. 3. Update to OpenFGA v1.5.3 using your package manager or download from GitHub. 4. Restart OpenFGA service. 5. Verify the update was successful.

🔧 Temporary Workarounds

Disable Complex Authorization Models

all

Temporarily remove or simplify authorization models that use exclusion or intersection operators until patching can be completed.

API Rate Limiting and Monitoring

all

Implement strict rate limiting on Check and ListObjects APIs and monitor for unusual access patterns.

🧯 If You Can't Patch

Implement network-level access controls to restrict who can reach the OpenFGA API endpoints
Add an additional authorization layer in front of OpenFGA to validate requests before they reach the vulnerable component

🔍 How to Verify

Check if Vulnerable:

Check if your OpenFGA version is between 1.5.0 and 1.5.2 and if your authorization models use exclusion or intersection operators.

Check Version:

openfga version

Verify Fix Applied:

After updating to v1.5.3, test authorization checks with models containing exclusion/intersection logic to ensure they work correctly.

📡 Detection & Monitoring

Log Indicators:

Unusual patterns of Check/ListObjects API calls
Authorization failures followed by successful accesses to the same resources
Requests that bypass expected permission constraints

Network Indicators:

High volume of API calls to Check/ListObjects endpoints
Unusual source IPs accessing authorization APIs

SIEM Query:

source="openfga" AND (api="Check" OR api="ListObjects") AND result="allowed" WHERE previous similar requests resulted in "denied"

📊 Metadata

CVE ID: CVE-2024-31452

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-863

Published: April 16, 2024

Last Updated: January 5, 2026

🔗 References

https://github.com/openfga/openfga/commit/b6a6d99b2bdbf8c3781503989576076289f48ed2 Patch
https://github.com/openfga/openfga/security/advisories/GHSA-8cph-m685-6v6r Patch,Vendor Advisory
https://github.com/openfga/openfga/commit/b6a6d99b2bdbf8c3781503989576076289f48ed2 Patch
https://github.com/openfga/openfga/security/advisories/GHSA-8cph-m685-6v6r Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-31452, you might also want to check these: