CVE-2024-56323

CVE-2024-56323 is an authorization bypass vulnerability affecting OpenFGA, an open-source authorization and permission engine. The issue impacts OpenFGA versions from v1.3.8 to v1.8.2, including corresponding Helm chart releases from openfga-0.1.38 to openfga-0.2.19 and Docker images from v1.3.8 to v1.8.2. It occurs specifically when a model uses conditions, the Check API or ListObjects API is called with contextual tuples that include conditions, and OpenFGA is configured with query caching enabled via the OPENFGA_CHECK_QUERY_CACHE_ENABLED setting. The vulnerability is rated critical with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-285 (Improper Authorization).

Attackers can exploit this vulnerability remotely over the network with no required privileges, user interaction, or special conditions beyond the specified configuration. By crafting API requests to the Check or ListObjects endpoints using models and contextual tuples with conditions, unauthenticated attackers can bypass authorization checks when caching is active, potentially gaining unauthorized access to sensitive resources, modifying permissions, or disrupting service availability.

The official advisory recommends upgrading to OpenFGA v1.8.3 to remediate the vulnerability, with no known workarounds available. Additional details are provided in the GitHub Security Advisory at https://github.com/openfga/openfga/security/advisories/GHSA-32q6-rr98-cjqv.