CVE-2026-24851
📋 TL;DR
OpenFGA versions 1.8.5 to 1.11.2 have an improper policy enforcement vulnerability that can allow unauthorized access when specific authorization models and tuple configurations exist. The vulnerability affects systems using OpenFGA for authorization decisions where certain relation assignments create conflicting access scenarios. This impacts anyone running vulnerable OpenFGA versions with authorization models containing specific relation configurations.
💻 Affected Systems
- OpenFGA
📦 What is this software?
Helm Charts by Openfga
Openfga by Openfga
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized users gain access to sensitive resources or data they should not have permission to access, potentially leading to data breaches or privilege escalation.
Likely Case
Authorization bypass for specific resources where conflicting tuple assignments exist, allowing unintended access to certain objects.
If Mitigated
Limited impact if proper access controls and monitoring are in place to detect unusual authorization patterns.
🎯 Exploit Status
Exploitation requires specific authorization model configurations and precise tuple assignments, making it complex to trigger accidentally.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v1.11.3
Vendor Advisory: https://github.com/openfga/openfga/security/advisories/GHSA-jq9f-gm9w-rwm9
Restart Required: Yes
Instructions:
1. Update OpenFGA to version 1.11.3 or later. 2. For Helm deployments, update to chart version openfga-0.2.52 or later. 3. For Docker deployments, pull the updated image tag. 4. Restart the OpenFGA service.
🔧 Temporary Workarounds
Review and modify authorization models
allAudit authorization models to identify configurations with relations directly assignable by type bound public access and non-public access on the same object.
🧯 If You Can't Patch
- Audit all authorization models for the specific vulnerable configuration patterns described in the advisory
- Implement additional authorization checks at the application layer to validate OpenFGA decisions
🔍 How to Verify
Check if Vulnerable:
Check OpenFGA version and compare against affected range. Review authorization models for the specific configuration patterns mentioned in the advisory.Check Version:
Check OpenFGA server logs or API response for version information, or run: openfga version (if CLI available)Verify Fix Applied:
Confirm OpenFGA version is 1.11.3 or later. Test authorization checks that previously might have been vulnerable.📡 Detection & Monitoring
Log Indicators:
- Unusual authorization check patterns
- Failed authorization attempts followed by unexpected successes
Network Indicators:
- Unusual authorization API call patterns
SIEM Query:
Look for authorization check patterns that match the specific vulnerable configuration described in the advisory