CVE-2025-46331: 
Wolfi vulnerability analysis and mitigation

OpenFGA, a high-performance and flexible authorization/permission engine inspired by Google Zanzibar, was found to contain a critical vulnerability affecting versions v1.8.10 to v1.3.6 (Helm chart <= openfga-0.2.28, docker <= v.1.8.10). The vulnerability, identified as CVE-2025-46331, was discovered and disclosed on April 30, 2025, and allows attackers to bypass authorization controls when executing certain Check and ListObject calls. The issue has been patched in version 1.8.11 (NVD, GitHub Advisory).

The vulnerability stems from an issue where the system incorrectly handles cycle detection in authorization checks. When the response indicates a cycle detected, the result becomes indeterminate because the parent of the cycle could have resolved to true. The system was saving these indeterminate results to cache, which could lead to incorrect authorization decisions. The vulnerability has been assigned a CVSS v4.0 score of 5.8 (MEDIUM) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H (NVD).

The vulnerability could result in authorization bypass, potentially allowing unauthorized access to protected resources. When exploited, the bug could cause check results to return false when they should be true, leading to incorrect access control decisions that could compromise system security (GitHub Advisory).

Users are strongly advised to upgrade to OpenFGA version 1.8.11, which contains the fix for this vulnerability. For Docker users, this means updating to docker version v1.8.11, and for Helm chart users, updating to openfga-0.2.29 or later. The patch prevents the system from saving cycle detection results to the check query cache (GitHub Advisory).