Vulnerability Details CVE-2025-46331
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.10 to v1.3.6 (Helm chart <= openfga-0.2.28, docker <= v.1.8.10) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. This issue has been patched in version 1.8.11.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 24.8%
CVSS Severity
CVSS v3 Score 9.8
References
Products affected by CVE-2025-46331
-
cpe:2.3:a:openfga:helm_charts:0.1.36
-
cpe:2.3:a:openfga:helm_charts:0.1.37
-
cpe:2.3:a:openfga:helm_charts:0.1.38
-
cpe:2.3:a:openfga:helm_charts:0.1.39
-
cpe:2.3:a:openfga:helm_charts:0.1.40
-
cpe:2.3:a:openfga:helm_charts:0.1.41
-
cpe:2.3:a:openfga:helm_charts:0.2.0
-
cpe:2.3:a:openfga:helm_charts:0.2.1
-
cpe:2.3:a:openfga:helm_charts:0.2.10
-
cpe:2.3:a:openfga:helm_charts:0.2.11
-
cpe:2.3:a:openfga:helm_charts:0.2.12
-
cpe:2.3:a:openfga:helm_charts:0.2.13
-
cpe:2.3:a:openfga:helm_charts:0.2.14
-
cpe:2.3:a:openfga:helm_charts:0.2.15
-
cpe:2.3:a:openfga:helm_charts:0.2.16
-
cpe:2.3:a:openfga:helm_charts:0.2.17
-
cpe:2.3:a:openfga:helm_charts:0.2.18
-
cpe:2.3:a:openfga:helm_charts:0.2.19
-
cpe:2.3:a:openfga:helm_charts:0.2.2
-
cpe:2.3:a:openfga:helm_charts:0.2.20
-
cpe:2.3:a:openfga:helm_charts:0.2.21
-
cpe:2.3:a:openfga:helm_charts:0.2.22
-
cpe:2.3:a:openfga:helm_charts:0.2.23
-
cpe:2.3:a:openfga:helm_charts:0.2.24
-
cpe:2.3:a:openfga:helm_charts:0.2.25
-
cpe:2.3:a:openfga:helm_charts:0.2.26
-
cpe:2.3:a:openfga:helm_charts:0.2.27
-
cpe:2.3:a:openfga:helm_charts:0.2.28
-
cpe:2.3:a:openfga:helm_charts:0.2.3
-
cpe:2.3:a:openfga:helm_charts:0.2.4
-
cpe:2.3:a:openfga:helm_charts:0.2.5
-
cpe:2.3:a:openfga:helm_charts:0.2.6
-
cpe:2.3:a:openfga:helm_charts:0.2.7
-
cpe:2.3:a:openfga:helm_charts:0.2.8
-
cpe:2.3:a:openfga:helm_charts:0.2.9
-
cpe:2.3:a:openfga:openfga:1.3.10
-
cpe:2.3:a:openfga:openfga:1.3.6
-
cpe:2.3:a:openfga:openfga:1.3.7
-
cpe:2.3:a:openfga:openfga:1.3.8
-
cpe:2.3:a:openfga:openfga:1.3.9
-
cpe:2.3:a:openfga:openfga:1.4.0
-
cpe:2.3:a:openfga:openfga:1.4.1
-
cpe:2.3:a:openfga:openfga:1.4.2
-
cpe:2.3:a:openfga:openfga:1.4.3
-
cpe:2.3:a:openfga:openfga:1.5.0
-
cpe:2.3:a:openfga:openfga:1.5.1
-
cpe:2.3:a:openfga:openfga:1.5.2
-
cpe:2.3:a:openfga:openfga:1.5.3
-
cpe:2.3:a:openfga:openfga:1.5.4
-
cpe:2.3:a:openfga:openfga:1.5.5
-
cpe:2.3:a:openfga:openfga:1.5.6
-
cpe:2.3:a:openfga:openfga:1.5.7
-
cpe:2.3:a:openfga:openfga:1.5.8
-
cpe:2.3:a:openfga:openfga:1.5.9
-
cpe:2.3:a:openfga:openfga:1.6.0
-
cpe:2.3:a:openfga:openfga:1.6.1
-
cpe:2.3:a:openfga:openfga:1.6.2
-
cpe:2.3:a:openfga:openfga:1.7.0
-
cpe:2.3:a:openfga:openfga:1.8.0
-
cpe:2.3:a:openfga:openfga:1.8.1
-
cpe:2.3:a:openfga:openfga:1.8.10
-
cpe:2.3:a:openfga:openfga:1.8.2
-
cpe:2.3:a:openfga:openfga:1.8.3
-
cpe:2.3:a:openfga:openfga:1.8.4
-
cpe:2.3:a:openfga:openfga:1.8.5
-
cpe:2.3:a:openfga:openfga:1.8.6
-
cpe:2.3:a:openfga:openfga:1.8.7
-
cpe:2.3:a:openfga:openfga:1.8.8
-
cpe:2.3:a:openfga:openfga:1.8.9