Sign In

CVE-2026-24851

ADVISORY - github

Summary

Impact

OpenFGA v1.8.5 to v1.11.2 ( openfga-0.2.22 <= Helm chart <= openfga-0.2.51, v.1.8.5 <= docker <= v.1.11.2) are vulnerable to improper policy enforcement when certain Check calls are executed.

Affected Users

Users are affected by this vulnerability if all of the following preconditions are met:

  • OpenFGA v1.8.5 to v1.11.2 is being used
  • The model has a relation directly assignable by a type bound public access and assignable by type bound non-public access
  • A tuple is assigned for the relation that is a type bound public access
  • A tuple is assigned for the same object with the same relation that is not type bound public access
  • A tuple is assigned for a different object that has an object ID lexicographically larger with the same user and relation which is not type bound public access

Fix

Upgrade to v1.11.3. This upgrade is backwards compatible.

Workaround

None

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-863

Incorrect Authorization

ADVISORY - github

CWE-863

Incorrect Authorization

Impacted images

Advisories
Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in