📄 Description (English)
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.5 to v1.11.2 ( openfga-0.2.22<= Helm chart <= openfga-0.2.51, v.1.8.5 <= docker <= v.1.11.2) are vulnerable to improper policy enforcement when certain Check calls are executed. The vulnerability requires a model that has a a relation directly assignable by a type bound public access and assignable by type bound non-public access, a tuple assigned for the relation that is a type bound public access, a tuple assigned for the same object with the same relation that is not type bound public access, and a tuple assigned for a different object that has an object ID lexicographically larger with the same user and relation which is not type bound public access. This vulnerability is fixed in v1.11.3.
🤖 AI Executive Summary
OpenFGA versions 1.8.5 to 1.11.2 contain an improper policy enforcement vulnerability (CVE-2026-24851, CVSS 8.8) that could allow unauthorized access when specific authorization model configurations are present. The vulnerability affects authorization decisions under particular tuple assignment patterns involving type-bound public and non-public access. Organizations using OpenFGA for access control must upgrade to v1.11.3 immediately to prevent potential privilege escalation and unauthorized data access.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 22, 2026 18:45
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi organizations implementing OpenFGA for authorization in critical systems. Banking sector (SAMA-regulated institutions) using OpenFGA for customer access control and transaction authorization face potential unauthorized transaction approval. Government agencies (NCA oversight) relying on OpenFGA for role-based access control could experience privilege escalation and unauthorized access to classified information. Healthcare providers using OpenFGA for patient data access control risk HIPAA-equivalent violations. Energy sector (ARAMCO, utilities) using OpenFGA for operational technology access control could face unauthorized system modifications. Telecom operators (STC, Mobily) using OpenFGA for subscriber management and billing systems risk unauthorized account modifications and service fraud.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Healthcare and Medical Services
Energy and Utilities
Telecommunications
E-commerce and Retail
Insurance
Education
🎯 MITRE ATT&CK Techniques
T1548 - Abuse Elevation Control Mechanism: Privilege escalation through authorization bypass
T1078 - Valid Accounts: Unauthorized access using legitimate account mechanisms
T1556 - Modify Authentication Process: Authorization policy manipulation
T1110 - Brute Force: Potential exploitation of authorization logic flaws
T1087 - Account Discovery: Enumeration of accessible resources through authorization bypass
T1526 - Exposure of Sensitive Information: Unauthorized access to protected data
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Inventory all OpenFGA deployments across your organization, including Helm chart versions (openfga-0.2.22 to openfga-0.2.51) and Docker image versions (v1.8.5 to v1.11.2)
2. Identify systems using authorization models with type-bound public access relations combined with non-public access tuples
3. Review access logs for suspicious authorization decisions, particularly for Check calls involving mixed public/non-public tuple assignments
PATCHING GUIDANCE:
1. Upgrade OpenFGA to v1.11.3 or later immediately
2. For Helm deployments: Update openfga Helm chart to version 0.2.52 or later
3. For Docker deployments: Pull and deploy openfga:v1.11.3 or later
4. Test authorization policies in staging environment before production deployment
5. Implement blue-green deployment strategy to minimize downtime
COMPENSATING CONTROLS (if immediate patching not possible):
1. Implement additional authorization layer validation at application level
2. Add audit logging for all Check calls with detailed tuple information
3. Restrict access to OpenFGA API endpoints using network segmentation
4. Monitor for anomalous authorization patterns using SIEM
5. Implement rate limiting on Check API calls
DETECTION RULES:
1. Alert on Check calls with mixed public/non-public tuple assignments for same relation
2. Monitor for authorization decisions that grant access to users with lexicographically larger object IDs
3. Track failed authorization attempts followed by successful ones with identical parameters
4. Log all policy model changes and review for vulnerable configurations
5. Implement baseline of normal authorization patterns and alert on deviations
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. قم بحصر جميع نشرات OpenFGA عبر مؤسستك، بما في ذلك إصدارات Helm (openfga-0.2.22 إلى openfga-0.2.51) وإصدارات Docker (v1.8.5 إلى v1.11.2)
2. حدد الأنظمة التي تستخدم نماذج تفويض بها علاقات وصول عام مرتبطة بالنوع مع tuples وصول غير عام
3. راجع سجلات الوصول للقرارات التفويضية المريبة، خاصة لاستدعاءات Check التي تتضمن إسنادات tuple مختلطة
إرشادات التصحيح:
1. قم بترقية OpenFGA إلى الإصدار 1.11.3 أو أحدث فوراً
2. لنشرات Helm: قم بتحديث مخطط Helm الخاص بـ openfga إلى الإصدار 0.2.52 أو أحدث
3. لنشرات Docker: اسحب ونشر openfga:v1.11.3 أو أحدث
4. اختبر سياسات التفويض في بيئة التجريب قبل نشر الإنتاج
5. طبق استراتيجية النشر الأزرق-الأخضر لتقليل وقت التوقف
الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):
1. طبق طبقة تحقق تفويض إضافية على مستوى التطبيق
2. أضف تسجيل تدقيق لجميع استدعاءات Check مع معلومات tuple مفصلة
3. قيد الوصول إلى نقاط نهاية OpenFGA API باستخدام تقسيم الشبكة
4. راقب أنماط التفويض الشاذة باستخدام SIEM
5. طبق تحديد معدل على استدعاءات Check API
قواعد الكشف:
1. تنبيه على استدعاءات Check مع إسنادات tuple مختلطة عام/غير عام لنفس العلاقة
2. راقب قرارات التفويض التي تمنح الوصول للمستخدمين بمعرفات كائنات أكبر معجمياً
3. تتبع محاولات التفويض الفاشلة متبوعة بمحاولات ناجحة بنفس المعاملات
4. سجل جميع تغييرات نموذج السياسة وراجع التكوينات الضعيفة
5. طبق خط أساس لأنماط التفويض العادية وتنبيه على الانحرافات
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Access Control Policy: Improper policy enforcement violates access control requirements
ECC 2024 A.5.1.2 - User Registration and Access Rights: Unauthorized access due to policy bypass
ECC 2024 A.5.2.1 - Segregation of Duties: Type-bound access control bypass affects duty segregation
ECC 2024 A.8.2.1 - User Access Management: Privilege escalation through authorization bypass
🔵 SAMA CSF
SAMA CSF 1.1 - Governance: Authorization policy enforcement is critical governance control
SAMA CSF 2.1 - Access Control: Direct impact on access control effectiveness
SAMA CSF 2.2 - Privileged Access Management: Potential privilege escalation vulnerability
SAMA CSF 3.1 - Detection and Response: Requires monitoring for authorization anomalies
🟡 ISO 27001:2022
ISO 27001:2022 A.5.2 - Information security policies and procedures: Authorization policy enforcement
ISO 27001:2022 A.8.2 - User access management: Access control and privilege management
ISO 27001:2022 A.8.3 - User responsibilities: Proper access rights assignment
ISO 27001:2022 A.9.2 - User access provisioning: Segregation of duties in access control
🟣 PCI DSS v4.0
PCI DSS 2.1 - Change default vendor-supplied passwords: Authorization system configuration
PCI DSS 7.1 - Restrict access to cardholder data: Access control policy enforcement
PCI DSS 7.2 - Restrict access to cardholder data by business need: Authorization decisions
PCI DSS 10.2 - Implement automated audit trails: Authorization decision logging
📦 Affected Products / CPE 2 entries
openfga:helm_charts
openfga:openfga