{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-21T10:45:34.400","vulnerabilities":[{"cve":{"id":"CVE-2022-39352","sourceIdentifier":"security-advisories@github.com","published":"2022-11-08T08:15:09.790","lastModified":"2026-06-17T04:58:11.940","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"OpenFGA is a high-performance authorization/permission engine inspired by Google Zanzibar. Versions prior to 0.2.5 are vulnerable to authorization bypass under certain conditions. You are affected by this vulnerability if you added a tuple with a wildcard (*) assigned to a tupleset relation (the right hand side of a ‘from’ statement). This issue has been patched in version v0.2.5. This update is not backward compatible with any authorization model that uses wildcard on a tupleset relation."},{"lang":"es","value":"OpenFGA es un motor de autorización/permisos de alto rendimiento inspirado en Google Zanzibar. Las versiones anteriores a la 0.2.5 son vulnerables a la evasión de autorización bajo ciertas condiciones. Esta vulnerabilidad le afecta si agrega una tupla con un comodín (*) asignado a una relación de conjunto de tuplas (el lado derecho de una declaración ‘from’). Este problema se solucionó en la versión v0.2.5. Esta actualización no es compatible con ningún modelo de autorización que utilice comodines en una relación de conjunto de tuples."}],"affected":[{"source":"security-advisories@github.com","affectedData":[{"vendor":"openfga","product":"openfga","versions":[{"version":"< 0.2.5","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N","baseScore":4.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":2.5},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2025-04-23T13:55:03.272827Z","id":"CVE-2022-39352","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-863"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-863"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:openfga:openfga:*:*:*:*:*:*:*:*","versionEndExcluding":"0.2.5","matchCriteriaId":"8B5607C0-4DAE-4DE9-9E16-A7F4993EB122"}]}]}],"references":[{"url":"https://github.com/openfga/openfga/security/advisories/GHSA-3gfj-fxx4-f22w","source":"security-advisories@github.com","tags":["Third Party Advisory"]},{"url":"https://github.com/openfga/openfga/security/advisories/GHSA-3gfj-fxx4-f22w","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]}]}}]}