CVE-2025-64751: 
Wolfi vulnerability analysis and mitigation

OpenFGA versions v1.4.0 to v1.11.0 (including Helm chart openfga-0.1.34 to openfga-0.2.48 and Docker versions v1.4.0 to v1.11.0) were identified with a vulnerability related to improper policy enforcement. The vulnerability, tracked as CVE-2025-64751 (GHSA-2c64-vmv2-hgfc), was disclosed on November 20, 2025, affecting the Go-based authorization system (GitHub Advisory, Miggo).

The vulnerability has been assigned a CVSS v4.0 score of 5.8 (Moderate severity) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H. The issue manifests when certain Check and ListObject calls are executed, specifically in scenarios involving type-bound public access with conditions. The vulnerability is characterized by network attack vector, low attack complexity, and requires low privileges without user interaction (GitHub Advisory).

The vulnerability impacts subsequent systems with high severity across confidentiality, integrity, and availability aspects, while showing no direct impact on the vulnerable system itself. This indicates that the vulnerability's effects are primarily observed in connected or dependent systems rather than the OpenFGA instance itself (GitHub Advisory).

The vulnerability has been patched in OpenFGA version 1.11.1, which is backwards compatible. For Helm chart users, version 0.2.49 contains the fix. No workarounds are available, making upgrading to the patched version the only solution (GitHub Release, GitHub Advisory).