CVE-2024-56323 Overview
CVE-2024-56323 is an authorization bypass vulnerability in OpenFGA, an open-source authorization and permission engine. The flaw affects OpenFGA versions v1.3.8 through v1.8.2, Helm chart versions openfga-0.1.38 through openfga-0.2.19, and the corresponding Docker images. The vulnerability allows authorization decisions to be incorrectly returned when conditional models, contextual tuples, and query caching interact. Exploitation requires authenticated API access but can result in unauthorized resource access across tenants relying on OpenFGA for permission enforcement. The issue is tracked under CWE-285: Improper Authorization.
Critical Impact
Authenticated callers of the Check or ListObjects APIs can bypass authorization decisions when OpenFGA is configured with query caching enabled and models use conditions evaluated against contextual tuples.
Affected Products
- OpenFGA server v1.3.8 through v1.8.2
- OpenFGA Helm chart openfga-0.1.38 through openfga-0.2.19
- OpenFGA Docker images v1.3.8 through v1.8.2
Discovery Timeline
- 2025-01-13 - CVE-2024-56323 published to NVD
- 2025-12-31 - Last updated in NVD database
Technical Details for CVE-2024-56323
Vulnerability Analysis
OpenFGA is a relationship-based authorization engine inspired by Google's Zanzibar. It evaluates whether a subject has a relation to an object using stored tuples and an authorization model. The Check and ListObjects APIs accept contextual tuples that augment the stored state at evaluation time. Conditional relations evaluate context attributes against expression logic before granting access.
The defect arises when three conditions hold simultaneously: the model uses conditions, the API call passes contextual tuples that include conditions, and the server is configured with OPENFGA_CHECK_QUERY_CACHE_ENABLED set to true. Under these conditions, cached check results do not correctly account for the conditional context supplied with the request. Subsequent calls can receive a cached decision that does not reflect the actual conditional evaluation, returning an incorrect authorization outcome.
Root Cause
The root cause is an incomplete cache key construction in the check query cache path. Conditional attributes attached to contextual tuples were not fully incorporated into the cache key, allowing semantically distinct requests to collide on the same cache entry. This is a classic improper authorization defect [CWE-285] surfaced through a caching optimization.
Attack Vector
An authenticated client with permission to call Check or ListObjects can trigger the flaw by issuing requests with conditional contextual tuples against a conditional model. Once a cache entry is populated, a later request that should evaluate to a different result may instead read the stale cached decision. The vulnerability is reachable over the network through the standard OpenFGA gRPC or HTTP API surface.
No verified public proof-of-concept is available. See the OpenFGA security advisory GHSA-32q6-rr98-cjqv for upstream technical detail.
Detection Methods for CVE-2024-56323
Indicators of Compromise
- Unexpected allow decisions returned by Check API calls that include conditional contextual tuples on a conditional model.
- ListObjects responses that include objects a caller should not be authorized to see when query caching is enabled.
- Divergence between OpenFGA decisions and downstream audit logs of resource access.
Detection Strategies
- Inventory all OpenFGA deployments and identify instances where OPENFGA_CHECK_QUERY_CACHE_ENABLED is set to true.
- Review authorization models for use of conditions and identify services that send contextual tuples with conditional payloads.
- Replay representative Check and ListObjects requests with and without caching to compare decisions and surface inconsistencies.
Monitoring Recommendations
- Log full request context for Check and ListObjects calls and alert on authorization decisions that contradict downstream access outcomes.
- Monitor OpenFGA server version metadata exposed by /healthz and deployment manifests to detect vulnerable versions in production.
- Track Helm chart and container image versions in CI/CD pipelines to flag deployments of vulnerable releases.
How to Mitigate CVE-2024-56323
Immediate Actions Required
- Upgrade OpenFGA to v1.8.3 or later across all server, Docker, and Helm chart deployments.
- Audit recent Check and ListObjects traffic for potential authorization bypass while caching was enabled.
- Rotate or revalidate access decisions for any high-sensitivity resources protected by conditional models.
Patch Information
The maintainers fixed the issue in OpenFGA v1.8.3. The corresponding Helm chart and Docker image releases include the corrected check query cache logic. Refer to the GitHub Security Advisory GHSA-32q6-rr98-cjqv for release notes and upgrade guidance.
Workarounds
- No vendor-supported workaround exists; upgrading to v1.8.3 is the only remediation per the upstream advisory.
- Operators who cannot upgrade immediately should weigh disabling OPENFGA_CHECK_QUERY_CACHE_ENABLED against the performance impact, recognizing the maintainers do not list this as a sanctioned workaround.
# Example: pin OpenFGA Helm chart to a fixed release
helm repo update
helm upgrade openfga openfga/openfga \
--version 0.2.20 \
--set image.tag=v1.8.3 \
--set cache.checkQueryCacheEnabled=true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
