CVE-2024-56323 – OpenFGA versions 1.3.8 to 1.8.2 contain an auth... (How to Fix)

Q: What is the severity of CVE-2024-56323?

CVE-2024-56323 has a CVSS score of 9.8 (CRITICAL). OpenFGA versions 1.3.8 to 1.8.2 contain an authorization bypass vulnerability when using conditions with contextual tuples and caching enabled. Attackers can bypass authorization checks to access unauthorized resources. This affects all OpenFGA deployments with the vulnerable configuration.

📋 TL;DR

OpenFGA versions 1.3.8 to 1.8.2 contain an authorization bypass vulnerability when using conditions with contextual tuples and caching enabled. Attackers can bypass authorization checks to access unauthorized resources. This affects all OpenFGA deployments with the vulnerable configuration.

💻 Affected Systems

Products:

OpenFGA
OpenFGA Helm Chart
OpenFGA Docker

Versions: OpenFGA v1.3.8 to v1.8.2, Helm chart openfga-0.1.38 to openfga-0.2.19, Docker v1.3.8 to v1.8.2

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Requires three conditions: 1) Using conditions in models, 2) Using contextual tuples with conditions, 3) Caching enabled (OPENFGA_CHECK_QUERY_CACHE_ENABLED)

📦 What is this software?

Helm Charts by Openfga

View all CVEs affecting Helm Charts →

Openfga by Openfga

View all CVEs affecting Openfga →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete authorization bypass allowing unauthorized access to all protected resources and data

🟠

Likely Case

Selective authorization bypass enabling access to specific protected resources based on attacker-controlled contextual tuples

🟢

If Mitigated

Limited impact if proper network segmentation and additional authorization layers exist

🌐 Internet-Facing: HIGH - Directly exposed authorization service could allow complete system compromise

🏢 Internal Only: HIGH - Even internal services could be exploited to bypass critical authorization controls

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires specific API calls with contextual tuples and understanding of the target's authorization model

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.8.3

Vendor Advisory: https://github.com/openfga/openfga/security/advisories/GHSA-32q6-rr98-cjqv

Restart Required: Yes

Instructions:

1. Upgrade OpenFGA to version 1.8.3 or later. 2. Update Helm chart to openfga-0.2.20 or later. 3. Update Docker image to openfga/openfga:v1.8.3 or later. 4. Restart all OpenFGA instances.

🔧 Temporary Workarounds

Disable caching

all

Disable the check query cache to prevent the vulnerability

export OPENFGA_CHECK_QUERY_CACHE_ENABLED=false

🧯 If You Can't Patch

Disable caching by setting OPENFGA_CHECK_QUERY_CACHE_ENABLED=false
Implement additional authorization layers outside OpenFGA for critical resources

🔍 How to Verify

Check if Vulnerable:

Check if OpenFGA version is between 1.3.8 and 1.8.2, and caching is enabled with conditions in use

Check Version:

curl -X GET http://openfga-host:8080/version | grep version

Verify Fix Applied:

Verify OpenFGA version is 1.8.3 or later and restart services

📡 Detection & Monitoring

Log Indicators:

Unusual Check API or ListObjects API calls with contextual tuples
Authorization failures followed by unexpected successes

Network Indicators:

Increased API calls to Check or ListObjects endpoints with contextual tuples

SIEM Query:

source="openfga" AND (api="Check" OR api="ListObjects") AND contextual_tuples EXISTS

📊 Metadata

CVE ID: CVE-2024-56323

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-285

EPSS Score: 0.27% exploit probability (50.2th percentile)

Published: January 13, 2025

Last Updated: December 31, 2025

🔗 References

https://github.com/openfga/openfga/security/advisories/GHSA-32q6-rr98-cjqv Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-56323, you might also want to check these: