CVE-2022-39352

MEDIUM

OpenFGA < 0.2.5 - Authorization Bypass via Wildcard Tupleset Relation

Title source: llm

Description

OpenFGA is a high-performance authorization/permission engine inspired by Google Zanzibar. Versions prior to 0.2.5 are vulnerable to authorization bypass under certain conditions. You are affected by this vulnerability if you added a tuple with a wildcard (*) assigned to a tupleset relation (the right hand side of a ‘from’ statement). This issue has been patched in version v0.2.5. This update is not backward compatible with any authorization model that uses wildcard on a tupleset relation.

References (1)

Core 1

Core References

Third Party Advisory

https://github.com/openfga/openfga/security/advisories/GHSA-3gfj-fxx4-f22w

Scores

CVSS v3 4.8

EPSS 0.0042

EPSS Percentile 33.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (2)

openfga/openfga < 0.2.5

openfga/openfga 0 - 0.2.5Go

Published Nov 08, 2022

Tracked Since Feb 18, 2026