CVE-2025-48371HIGH 8.8EPSS p32.4%

CVE-2025-48371CVE-2025-48371

Description

OpenFGA is an authorization/permission engine. OpenFGA versions 1.8.0 through 1.8.12 (corresponding to Helm chart openfga-0.2.16 through openfga-0.2.30 and docker 1.8.0 through 1.8.12) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Users are affected under four specific conditions: First, calling Check API or ListObjects with an authorization model that has a relationship directly assignable by both type bound public access and userset; second, there are check or list object queries with contextual tuples for the relationship that can be directly assignable by both type bound public access and userset; third, those contextual tuples’s user field is an userset; and finally, type bound public access tuples are not assigned to the relationship. Users should upgrade to version 1.8.13 to receive a patch. The upgrade is backwards compatible.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.41% probability of exploitation · percentile 32.4% · 2026-06-18T12:00:27Z
Published2025-05-22
Last modified2026-01-15

Underlying weaknesses· 1

CWE-285

References

  1. https://github.com/openfga/openfga/commit/e5960d4eba92b723de8ff3a5346a07f50c1379ca
  2. https://github.com/openfga/openfga/security/advisories/GHSA-c72g-53hw-82q7

1

TypeTargetConfidenceTier
WeaknessImproper Authorizationcwe-2850%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-46331
CVE
CVE-2025-25196
CVE
CVE-2025-64751
CVE
CVE-2025-55213
CVE
CVE-2026-24851
CVE
CVE-2026-34972
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.