CVE-2025-48371 is a medium-severity vulnerability affecting OpenFGA, an authorization and permission engine widely used to manage fine-grained access control. The vulnerability exists in OpenFGA versions 1.8.0 through 1.8.12 (including Helm charts openfga-0.2.16 through openfga-0.2.30 and corresponding Docker images). It is classified as CWE-285: Improper Authorization. The flaw allows an authorization bypass under specific conditions involving the Check and ListObjects API calls. Specifically, when an authorization model includes a relationship that can be assigned both by type-bound public access and userset, and when queries include contextual tuples where the user field is itself a userset, but type-bound public access tuples are not assigned, the system may incorrectly authorize access. This means that unauthorized users could potentially gain access to resources or data they should not have permissions for. The vulnerability requires low attack complexity and low privileges (partial privileges) but no user interaction, and it affects confidentiality, integrity, and availability with a high scope impact due to the potential bypass of authorization controls. The vendor has released version 1.8.13 which patches this issue and is backward compatible. No known exploits are currently reported in the wild.

For European organizations, this vulnerability poses a significant risk especially for those relying on OpenFGA for access control in cloud-native environments, microservices architectures, or SaaS platforms. Unauthorized access due to this flaw could lead to data leakage, unauthorized data modification, or disruption of services, impacting confidentiality, integrity, and availability of critical systems. Sectors such as finance, healthcare, government, and critical infrastructure, which often implement strict access controls, could face compliance violations (e.g., GDPR) and reputational damage if unauthorized access occurs. The medium CVSS score reflects the moderate ease of exploitation combined with the potentially broad impact on access control enforcement. Since OpenFGA is used to enforce fine-grained permissions, exploitation could allow attackers or malicious insiders to escalate privileges or access sensitive data without detection.

European organizations should immediately assess their use of OpenFGA and identify deployments running vulnerable versions (1.8.0 through 1.8.12). The primary mitigation is to upgrade to OpenFGA version 1.8.13 or later, which contains the patch for this authorization bypass. Since the upgrade is backward compatible, it should be feasible to deploy without major disruptions. Additionally, organizations should audit their authorization models to identify any relationships that combine type-bound public access and userset assignments, especially those involving contextual tuples with userset user fields. Tightening or redesigning these models to avoid ambiguous or overlapping assignments can reduce risk. Implementing additional monitoring and anomaly detection on authorization API calls (Check and ListObjects) may help detect suspicious access patterns. Finally, organizations should review their incident response plans to prepare for potential exploitation scenarios involving authorization bypass.