{"id":"GHSA-2c64-vmv2-hgfc","summary":"OpenFGA Improper Policy Enforcement","details":"### Overview\nOpenFGA v1.4.0 to v1.11.0  (openfga-0.1.34 \u003c= Helm chart \u003c= openfga-0.2.48, v.1.4.0 \u003c= docker \u003c= v.1.11.0) are vulnerable to improper policy enforcement when certain Check and ListObject calls are executed.\n\n### Am I Affected?\nYou are affected by this vulnerability if you meet the following preconditions:\n- You are using OpenFGA v1.4.0 to v1.11.0\n- The model has a a relation directly assignable by a [type bound pubic access](https://openfga.dev/docs/concepts#what-is-type-bound-public-access) with [condition](https://openfga.dev/docs/modeling/conditions)\n- The same relation is not assignable by a type bound public access without condition\n- You have a type assigned for the same relation that is a type bound public access without condition\n\n\n### Fix\nUpgrade to v1.11.1. This upgrade is backwards compatible.\n\n### Workaround\nNone","aliases":["CVE-2025-64751","GO-2025-4150"],"modified":"2026-01-30T01:45:45.387029Z","published":"2025-11-20T22:48:55Z","related":["CGA-7rv8-mvx4-whcq"],"database_specific":{"github_reviewed":true,"github_reviewed_at":"2025-11-20T22:48:55Z","severity":"MODERATE","nvd_published_at":"2025-11-21T02:15:43Z","cwe_ids":["CWE-285"]},"references":[{"type":"WEB","url":"https://github.com/openfga/openfga/security/advisories/GHSA-2c64-vmv2-hgfc"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64751"},{"type":"PACKAGE","url":"https://github.com/openfga/openfga"},{"type":"WEB","url":"https://github.com/openfga/openfga/releases/tag/v1.11.1"}],"affected":[{"package":{"name":"github.com/openfga/openfga","ecosystem":"Go","purl":"pkg:golang/github.com/openfga/openfga"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.4.0"},{"fixed":"1.11.1"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-2c64-vmv2-hgfc/GHSA-2c64-vmv2-hgfc.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H"}]}