CVE-2026-24851
Published: 06 February 2026
Summary
CVE-2026-24851 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Openfga Helm Charts. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires enforcement of approved authorizations for access to resources, directly addressing the improper policy enforcement flaw in OpenFGA Check calls.
Mandates timely identification, reporting, and correction of flaws like this authorization bypass by upgrading to the fixed OpenFGA v1.11.3.
Requires verification that security functions such as OpenFGA's authorization enforcement correctly implement defined policies prior to use.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE describes network-accessible OpenFGA authorization bypass (CWE-863) via crafted Check API calls under specific model/tuple conditions; directly enables T1190 (exploit public-facing app) from low-priv attacker and T1068 (exploitation for privilege escalation) to achieve high-impact unauthorized access/modification/disruption.
NVD Description
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.5 to v1.11.2 ( openfga-0.2.22<= Helm chart <= openfga-0.2.51, v.1.8.5 <= docker <= v.1.11.2) are vulnerable to improper policy enforcement when certain Check…
more
calls are executed. The vulnerability requires a model that has a a relation directly assignable by a type bound public access and assignable by type bound non-public access, a tuple assigned for the relation that is a type bound public access, a tuple assigned for the same object with the same relation that is not type bound public access, and a tuple assigned for a different object that has an object ID lexicographically larger with the same user and relation which is not type bound public access. This vulnerability is fixed in v1.11.3.
Deeper analysisAI
CVE-2026-24851 is an improper policy enforcement vulnerability affecting OpenFGA, a high-performance authorization and permission engine inspired by Google Zanzibar. The issue impacts versions v1.8.5 through v1.11.2, including Helm charts from openfga-0.2.22 to openfga-0.2.51 and Docker images from v1.8.5 to v1.11.2. It occurs during certain Check calls when the authorization model includes a relation directly assignable by type-bound public access and also by type-bound non-public access, combined with specific tuples: one for type-bound public access, another for the same object and relation but not type-bound public, and a third for a different object with a lexicographically larger object ID, same user, and same relation but not type-bound public. This is classified under CWE-863 (Incorrect Authorization) with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An attacker with low privileges (PR:L) and network access to the OpenFGA instance can exploit this vulnerability if the required model and tuple conditions are met. Exploitation involves crafting Check calls that trigger the improper enforcement, potentially allowing unauthorized access to resources, modification of permissions, or disruption of services, as indicated by the high impacts on confidentiality, integrity, and availability.
The vulnerability is fixed in OpenFGA v1.11.3, as detailed in the project's release notes and security advisory. Security practitioners should upgrade to v1.11.3 or later and review authorization models for the specified tuple and relation patterns to mitigate risk.
Details
- CWE(s)