CVE-2025-55213: 
vulnerability analysis and mitigation

OpenFGA versions 1.9.3 to 1.9.4 (including Helm chart openfga-0.2.40 to openfga-0.2.41 and docker v1.9.3 to v.1.9.4) contains a vulnerability related to improper policy enforcement when certain Check and ListObject calls are executed. The vulnerability was discovered in February 2025 and assigned CVE-2025-55213 (GitHub Advisory).

The vulnerability occurs when calling Check API or ListObjects with an authorization model that has a relationship directly assignable by more than one userset with the same type. The issue specifically manifests when there are check or list object queries that rely on this relationship and when userset tuples are assigned to the affected relationship. The vulnerability is rated as Moderate with a CVSS v4.0 score of 5.8 (Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H) (GitHub Advisory).

When successfully exploited, this vulnerability can lead to improper policy enforcement in the affected OpenFGA installations. While there is no direct impact on the vulnerable system's confidentiality, integrity, or availability, the subsequent system impacts are rated as High for confidentiality, integrity, and availability (GitHub Advisory).

Users are advised to upgrade to OpenFGA v1.9.5, which provides a backwards-compatible fix for this vulnerability. Alternatively, users can downgrade to v1.9.2 with the enable-check-optimizations removed from OPENFGA_EXPERIMENTALS as a workaround (GitHub Advisory).

The vulnerability was discovered and reported by Dominic Harries and rrozza-apolitical, who were acknowledged by the OpenFGA team for their contribution to security (GitHub Advisory).