CVE-2025-64751
HIGHOpenFGA 1.4.0-1.11.0 - Improper Authorization in Check and ListObject Calls
Title source: llmDescription
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.4.0 to v1.11.0 ( openfga-0.1.34 <= Helm chart <= openfga-0.2.48, v.1.4.0 <= docker <= v.1.11.0) are vulnerable to improper policy enforcement when certain Check and ListObject calls are executed. This issue has been patched in version 1.11.1.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/openfga/openfga/security/advisories/GHSA-2c64-vmv2-hgfc
Release Notes x_refsource_misc
https://github.com/openfga/openfga/releases/tag/v1.11.1
Scores
CVSS v3
8.8
EPSS
0.0025
EPSS Percentile
15.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-285
Status
published
Products (3)
openfga/helm_charts
0.1.34 - 0.2.49
openfga/openfga
1.4.0 - 1.11.1
openfga/openfga
1.4.0 - 1.11.1Go
Published
Nov 21, 2025
Tracked Since
Feb 18, 2026