CVE-2024-42473: 
Wolfi vulnerability analysis and mitigation

OpenFGA (Authorization/Permission Engine) versions 1.5.7 and 1.5.8 were identified with a critical vulnerability (CVE-2024-42473) that allows authorization bypass when using the Check API with specific model configurations. The vulnerability was discovered and disclosed on August 12, 2024, affecting OpenFGA installations using these versions (NVD).

The vulnerability occurs specifically when calling the Check API with a model that uses 'but not' and 'from' expressions in combination with a userset. The severity of this vulnerability has been assessed with a CVSS v3.1 base score of 9.8 (Critical) by NIST and 7.5 (High) by GitHub, indicating its significant impact potential. The vulnerability is classified under CWE-863 (Incorrect Authorization) (NVD).

The vulnerability enables unauthorized access through authorization bypass, potentially compromising the security model of affected systems. Given the critical CVSS score and the nature of OpenFGA as an authorization engine, successful exploitation could lead to significant security breaches in affected systems (NVD).

Users are advised to downgrade to OpenFGA version 1.5.6 as an immediate mitigation measure. This downgrade is backward compatible. For those using the Helm chart, upgrading to version 0.2.12 is recommended. A patch was planned for future release at the time of disclosure (GitHub Advisory).