CVE-2025-55213

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-55213
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.9.3 to v1.9.4 ( openfga-0.2.40 <= Helm chart <= openfga-0.2.41, v1.9.3 <= docker <= v.1.9.4) are vulnerable to improper policy enforcement when certain Check and ListObject calls are executed. This vulnerability is fixed in 1.9.5.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/openfga/openfga/commit/1a7e0e37fc4777c824b2386cac4867a66f3480b0 Patch
https://github.com/openfga/openfga/security/advisories/GHSA-mgh9-4mwp-fg55 Patch Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:openfga:helm_charts:*:*:*:*:*:openfga:*:*
cpe:2.3:a:openfga:openfga:*:*:*:*:*:*:*:*
History

14 Jan 2026, 17:10

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.8
Summary
  • (es) OpenFGA es un motor de autorización y permisos flexible y de alto rendimiento, diseñado para desarrolladores e inspirado en Google Zanzibar. Las versiones 1.9.3 a 1.9.4 de OpenFGA (openfga-0.2.40 &lt;= Helm chart &lt;= openfga-0.2.41, v1.9.3 &lt;= docker &lt;= v.1.9.4) son vulnerables a la aplicación incorrecta de políticas al ejecutar ciertas llamadas a Check y ListObject. Esta vulnerabilidad se corrigió en la versión 1.9.5.
First Time Openfga helm Charts
Openfga
Openfga openfga
CPE cpe:2.3:a:openfga:openfga:*:*:*:*:*:*:*:*
cpe:2.3:a:openfga:helm_charts:*:*:*:*:*:openfga:*:*
References () https://github.com/openfga/openfga/commit/1a7e0e37fc4777c824b2386cac4867a66f3480b0 - () https://github.com/openfga/openfga/commit/1a7e0e37fc4777c824b2386cac4867a66f3480b0 - Patch
References () https://github.com/openfga/openfga/security/advisories/GHSA-mgh9-4mwp-fg55 - () https://github.com/openfga/openfga/security/advisories/GHSA-mgh9-4mwp-fg55 - Patch, Vendor Advisory

18 Aug 2025, 20:16

Type Values Removed Values Added
New CVE
Information

Published : 2025-08-18 20:15

Updated : 2026-01-14 17:10

NVD link : CVE-2025-55213

Mitre link : CVE-2025-55213

CVE.ORG link : CVE-2025-55213

JSON object : View

Products Affected

openfga

  • helm_charts
  • openfga
CWE
CWE-863

Incorrect Authorization