CVE-2024-31452

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

O

penFGA is a high-performance and flexible authorization/permission engine. Some end users of OpenFGA v1.5.0 or later are vulnerable to authorization bypass when calling Check or ListObjects APIs. You are very likely affected if your model involves exclusion (e.g. `a but not b`) or intersection (e.g. `a and b`). This vulnerability is fixed in v1.5.3.

References

Link	Resource
https://github.com/openfga/openfga/commit/b6a6d99b2bdbf8c3781503989576076289f48ed2	Patch
https://github.com/openfga/openfga/security/advisories/GHSA-8cph-m685-6v6r	Patch Vendor Advisory
https://github.com/openfga/openfga/commit/b6a6d99b2bdbf8c3781503989576076289f48ed2	Patch
https://github.com/openfga/openfga/security/advisories/GHSA-8cph-m685-6v6r	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openfga:openfga:*:*:*:*:*:*:*:*

History

05 Jan 2026, 16:20

Type	Values Removed	Values Added
First Time		Openfga openfga Openfga
CPE		cpe:2.3:a:openfga:openfga::::::::
References	~~() https://github.com/openfga/openfga/commit/b6a6d99b2bdbf8c3781503989576076289f48ed2 -~~	() https://github.com/openfga/openfga/commit/b6a6d99b2bdbf8c3781503989576076289f48ed2 - Patch
References	~~() https://github.com/openfga/openfga/security/advisories/GHSA-8cph-m685-6v6r -~~	() https://github.com/openfga/openfga/security/advisories/GHSA-8cph-m685-6v6r - Patch, Vendor Advisory

21 Nov 2024, 09:13

Type	Values Removed	Values Added
References	~~() https://github.com/openfga/openfga/commit/b6a6d99b2bdbf8c3781503989576076289f48ed2 -~~	() https://github.com/openfga/openfga/commit/b6a6d99b2bdbf8c3781503989576076289f48ed2 -
References	~~() https://github.com/openfga/openfga/security/advisories/GHSA-8cph-m685-6v6r -~~	() https://github.com/openfga/openfga/security/advisories/GHSA-8cph-m685-6v6r -

Information

Published : 2024-04-16 22:15

Updated : 2026-01-05 16:20

NVD link : CVE-2024-31452

Mitre link : CVE-2024-31452

CVE.ORG link : CVE-2024-31452

JSON object : View

Products Affected

openfga

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2024-31452", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2024-04-16T22:15:35.003", "references": [{"url": "https://github.com/openfga/openfga/commit/b6a6d99b2bdbf8c3781503989576076289f48ed2", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/openfga/openfga/security/advisories/GHSA-8cph-m685-6v6r", "tags": ["Patch", "Vendor Advisory"], "source": "[email protected]"}, {"url": "https://github.com/openfga/openfga/commit/b6a6d99b2bdbf8c3781503989576076289f48ed2", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/openfga/openfga/security/advisories/GHSA-8cph-m685-6v6r", "tags": ["Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "OpenFGA is a high-performance and flexible authorization/permission engine. Some end users of OpenFGA v1.5.0 or later are vulnerable to authorization bypass when calling Check or ListObjects APIs. You are very likely affected if your model involves exclusion (e.g. `a but not b`) or intersection (e.g. `a and b`). This vulnerability is fixed in v1.5.3."}, {"lang": "es", "value": "OpenFGA es un motor de autorizaci\u00f3n/permiso flexible y de alto rendimiento. Algunos usuarios finales de OpenFGA v1.5.0 o posterior son vulnerables a la omisi\u00f3n de autorizaci\u00f3n al llamar a las API Check o ListObjects. Es muy probable que se vea afectado si su modelo implica exclusi\u00f3n (por ejemplo, \"a pero no b\") o intersecci\u00f3n (por ejemplo, \"a y b\"). Esta vulnerabilidad se solucion\u00f3 en v1.5.3."}], "lastModified": "2026-01-05T16:20:42.307", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openfga:openfga:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "842F770D-971B-456E-8050-6D35967A543F", "versionEndExcluding": "1.5.3", "versionStartIncluding": "1.5.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}