CVE-2025-46331 – OpenFGA versions 1.3.6 through 1.8.10 contain a... (How to Fix)

📋 TL;DR

OpenFGA versions 1.3.6 through 1.8.10 contain an authorization bypass vulnerability in Check and ListObject calls. This allows attackers to bypass permission checks and access unauthorized resources. All deployments using affected versions are vulnerable.

💻 Affected Systems

Products:

OpenFGA

Versions: v1.3.6 to v1.8.10 (Helm chart <= openfga-0.2.28, docker <= v1.8.10)

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments using affected versions are vulnerable regardless of configuration

📦 What is this software?

Helm Charts by Openfga

View all CVEs affecting Helm Charts →

Openfga by Openfga

View all CVEs affecting Openfga →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete authorization bypass allowing unauthorized access to all protected resources and data

🟠

Likely Case

Partial authorization bypass enabling access to specific resources that should be restricted

🟢

If Mitigated

Limited impact if additional authorization layers exist outside OpenFGA

🌐 Internet-Facing: HIGH - Internet-facing OpenFGA instances can be directly exploited

🏢 Internal Only: HIGH - Internal instances remain vulnerable to insider threats or compromised internal systems

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires API access but no authentication bypass; detailed advisory available

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.8.11

Vendor Advisory: https://github.com/openfga/openfga/security/advisories/GHSA-w222-m46c-mgh6

Restart Required: Yes

Instructions:

1. Update OpenFGA to version 1.8.11 or later
2. Update Helm chart to version > 0.2.28
3. Update Docker image to v1.8.11 or later
4. Restart OpenFGA service

🔧 Temporary Workarounds

Network segmentation

all

Restrict network access to OpenFGA API endpoints

API gateway rate limiting

all

Implement rate limiting on Check and ListObject API calls

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach OpenFGA API
Add additional authorization layer before OpenFGA calls

🔍 How to Verify

Check if Vulnerable:

Check OpenFGA version: if between 1.3.6 and 1.8.10 inclusive, you are vulnerable

Check Version:

openfga version

Verify Fix Applied:

Confirm version is 1.8.11 or later and test authorization checks

📡 Detection & Monitoring

Log Indicators:

Unusual patterns of Check/ListObject calls
Authorization failures followed by successful access

Network Indicators:

High volume of Check/ListObject API calls from single source

SIEM Query:

source="openfga" AND (operation="Check" OR operation="ListObjects") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2025-46331

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-284

EPSS Score: 0.11% exploit probability (30.2th percentile)

Published: April 30, 2025

Last Updated: December 31, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-46331, you might also want to check these: