Sign In

CVE-2026-24851

ADVISORY - github

Summary

Impact

OpenFGA v1.8.5 to v1.11.2 ( openfga-0.2.22 <= Helm chart <= openfga-0.2.51, v.1.8.5 <= docker <= v.1.11.2) are vulnerable to improper policy enforcement when certain Check calls are executed.

Affected Users

Users are affected by this vulnerability if all of the following preconditions are met:

  • OpenFGA v1.8.5 to v1.11.2 is being used
  • The model has a relation directly assignable by a type bound public access and assignable by type bound non-public access
  • A tuple is assigned for the relation that is a type bound public access
  • A tuple is assigned for the same object with the same relation that is not type bound public access
  • A tuple is assigned for a different object that has an object ID lexicographically larger with the same user and relation which is not type bound public access

Fix

Upgrade to v1.11.3. This upgrade is backwards compatible.

Workaround

None

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-863

Incorrect Authorization

ADVISORY - github

CWE-863

Incorrect Authorization

Impacted images

Advisories

NIST

CREATED

UPDATED

ADVISORY IDCVE-2026-24851
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-863

CVSS SCORE

5.8medium

GitHub

CREATED

UPDATED

ADVISORY IDGHSA-jq9f-gm9w-rwm9
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-863

CVSS SCORE

5.8medium

minimos

CREATED

UPDATED

ADVISORY ID

MINI-76h4-mm8p-86vp

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-84p7-43cv-8f9p

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-85hf-m9pc-2fq5

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-92f6-v6hv-9hrc

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-hq6m-m428-2x95

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-vhp3-gmxj-qjf8

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY