cvedb.io
CVE-2022-39340
MEDIUM · CVSS 5.3
EPSS exploitation probability: 0%
Published 2022-10-25T17:15:56.213 · Last modified 2026-06-17T04:58:10.447

Summary

OpenFGA is an authorization/permission engine. Prior to version 0.2.4, the `streamed-list-objects` endpoint was not validating the authorization header, resulting in disclosure of objects in the store. Users `openfga/openfga` versions 0.2.3 and prior who are exposing the OpenFGA service to the internet are vulnerable. Version 0.2.4 contains a patch for this issue.

Affected products

openfga — openfga

Does this affect you?

Add your gear to cvedb and we'll alert you only when openfga ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.