fix(deps): update module github.com/openfga/openfga to v1.8.11 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/openfga/openfga	v1.7.0 -> v1.8.11

GitHub Vulnerability Alerts

CVE-2024-56323

Overview

OpenFGA v1.3.8 to v1.8.2 (Helm chart openfga-0.1.38 to openfga-0.2.19, docker v1.3.8 to v.1.8.2) are vulnerable to authorization bypass when certain Check and ListObject calls are executed.

Am I Affected?

You are affected by this authorization bypass vulnerability if you are using OpenFGA v1.3.8 to v1.8.2, specifically under the following conditions:

1. Calling Check API or ListObjects with a model that uses conditions, and
2. OpenFGA is configured with caching enabled (OPENFGA_CHECK_QUERY_CACHE_ENABLED), and
3. Check API call or ListObjects API calls contain contextual tuples that include conditions.

Fix

Upgrade to v1.8.3. This upgrade is backwards compatible.

CVE-2025-25196

Overview
OpenFGA v1.8.4 or previous (Helm chart < openfga-0.2.22, docker < v.1.8.5) are vulnerable to authorization bypass when certain Check and ListObject calls are executed.

Am I Affected?
If you are using OpenFGA v1.8.4 or previous, specifically under the following conditions, you are affected by this authorization bypass vulnerability:

• Calling Check API or ListObjects with a model that has a relation directly assignable to both public access AND userset with the same type, and
• A type bound public access tuple is assigned to an object, and
• userset tuple is not assigned to the same object, and
• Check request's user field is a userset that has the same type as the type bound public access tuple's user type

Fix
Upgrade to v1.8.5. This upgrade is backwards compatible.

CVE-2025-46331

Overview
OpenFGA v1.8.10 or previous (Helm chart <= openfga-0.2.28, docker <= v.1.8.10) are vulnerable to authorization bypass when certain Check and ListObject calls are executed.

Am I Affected?
If you are using OpenFGA v1.8.10 or previous, specifically under the following conditions, you are affected by this authorization bypass vulnerability:

• Calling Check API or ListObjects with an authorization model that has tuple cycle.
• Check query cache is enabled, and
• There are multiple check / list objects requests involving the tuple cycle within the check query TTL

Fix
Upgrade to v1.8.11. This upgrade is backwards compatible.

---

Release Notes

openfga/openfga (github.com/openfga/openfga)

v1.8.11

Compare Source

Changed

• Update go version to 1.24.2 #​2404

Fixed

• Do not save to check query cache when result indicates cycle. CVE-2025-46331

Full changelog

v1.8.10

Compare Source

Added

• Added "dispatch_count" attribute to batch-check request logs. #​2369
• Added "dispatch_count" histogram metric to batch-check requests. #​2369
• Added "request.throttled" boolean for check and batch-check request logs. #​2369
• Added "throttled_requests_count" metric to batch-check requests. #​2369
• Surface partial metrics on check resolutions #​2371
• Added "current_iterator_cache_count" gauge metric to current number of iterator cache. #​2397
• Adds cached iterators to ListObjects #​2388

Changed

• The serverconfig was moved from internal to pkg to make it available to external users of this package. #​2382

Fixed

• Add limit to goroutine concurrency when processing iterator #​2386
• Fixes case where cached_datastore.ReadStartingWithUser generated bad cache invalidation keys. #​2381

Full changelog

Changelog

• 9b59744 Reduce fast path batch threshold from 1000 to 100 (#​2394)
• 6183266 Surface partial metrics on check resolutions (#​2371)
• 73dceae adds total dispatch count to context tags for batch check (#​2369)
• 2e1d06e chore(deps): bump the dependencies group across 1 directory with 5 updates (#​2367)
• f1c51ff chore(deps): bump the dependencies group with 2 updates (#​2366)
• b95fe5f chore(deps): bump the dependencies group with 2 updates (#​2374)
• de5f9aa chore(deps): bump the dependencies group with 2 updates (#​2390)
• e976cfa chore(deps): bump the dependencies group with 2 updates (#​2401)
• 3380a71 chore: move cache key logic to separate file (#​2393)
• 0f1cd09 chore: update changelog in prep for v1.8.10 (#​2399)
• 08d576b feat: Add Iterator Cache to ListObjects (#​2388)
• aeafa92 feat: Add processDispatches panic error handling (#​2376)
• b71cf4d feat: Add processUsersets panic error handling (#​2378)
• 580d860 feat: add counters on current number of iterator cache (#​2397)
• c32c2db feat: add exclusion panic error handling (#​2384)
• 5e194ab feat: move serverconfig out of internal (#​2382)
• eb8c657 fix: add goroutine concurrency limit for iterator processing (#​2386)
• 94085ab fix: auth0 fga rebranding (#​2402)
• d3bfad8 fix: cached_datastore.ReadStartingWithUser cache keys (#​2381)
• 07ccbd0 fix: increase discard count on .Next() (#​2391)
• 4e2fd93 refactor: rename files/methods related to iterator cache (#​2368)
• d5ff674 refactor: rename sharedCheckResources -> sharedDatastoreResources (#​2387)

v1.8.9

Compare Source

Added

• Updated grpc logs for the healthcheck service to log at the Debug level instead of at the Info level. #​2340
• Separate out experimental list objects optimization flag (enable-list-objects-optimizations) from experimental check optimization flag (enable-check-optimizations) to allow individual optimization. #​2341.

Full changelog

Changelog

• a24f0fe chore(deps): bump the dependencies group with 3 updates (#​2347)
• 09fb1b7 chore(deps): bump the dependencies group with 5 updates (#​2329)
• ee82979 chore(deps): bump the dependencies group with 5 updates (#​2346)
• 3d34d74 docs(v1.8.9): add v1.8.9 release notes to CHANGELOG (#​2348)
• 3e7e9e5 feat: Downgrade grpc logs for healthcheck service to Debug level (#​2340)
• 3315358 feat: add list object experimental flag (#​2341)

v1.8.8

Compare Source

Added

• Added a new CheckResolver (ShadowResolver) to allow comparing changes across different CheckResolvers. #​2308.

Changed

• Extend object_id VARCHAR in MySQL to 255 characters. #​2230.

Full changelog

Changelog

• 0f16ee6 Mysql: Extend object_id VARCHAR to 255 (#​2230)
• 7511928 chore(deps): bump github.com/golang-jwt/jwt/v5 from 5.2.1 to 5.2.2 (#​2325)
• 825cd8a chore(deps): bump golang.org/x/net from 0.35.0 to 0.36.0 (#​2311)
• 7e99b6f chore(deps): bump the dependencies group across 1 directory with 3 updates (#​2319)
• ae0a700 chore(deps): bump the dependencies group across 1 directory with 4 updates (#​2318)
• 426e31e chore(deps): bump the dependencies group across 1 directory with 6 updates (#​2332)
• 459e6e6 docs(v1.8.8): add v1.8.8 release notes to CHANGELOG (#​2320)
• 2b5324d docs(v1.8.8): add v1.8.8 release notes to CHANGELOG (#​2333)
• 2bbff46 feat: Add Shadow Check Resolver to allow comparing results (#​2308)
• 4d1606e fix: fix shadow resolver for Checks that have cycles and better reliability (#​2317)
• d500124 tests: consolidate matrix test infrastucture (#​2322)
• cc40ed7 tests: moves ListObjects matrix assertions and adds Weight1 wildcard test (#​2327)

v1.8.7

Compare Source

Added

• Added storage.ErrTransactionThrottled for throttling errors applied at the datastore level. #​2304.

Removed

• Removed recently-added tuples_iterator_cache_invalid_hit_count metric. The cachecontroller_cache_invalidation_count from 1.8.6 better accomplishes the same goal. [#​2296)[https://github.com/openfga/openfga/pull/2296](https://redirect.github.com/openfga/openfga/pull/2296)6/]

Fixed

• Fixed evaluation of certain recursive TTU cases behind the enable-check-optimizations flag. #​2281

Full changelog

Changelog

• 56bb7c0 Recursive TTUv2 cleanup and fixes (#​2281)
• ce37287 Revert "feat: creates PassthroughError type to proxy errors through FGA" (#​2305)
• cd301c1 chore(deps): bump the dependencies group across 1 directory with 15 updates (#​2301)
• a59069c chore(deps): bump the dependencies group across 1 directory with 6 updates (#​2295)
• 473d9d1 chore(deps): bump the dependencies group with 2 updates (#​2294)
• 5a6f640 chore(deps): bump the dependencies group with 4 updates (#​2299)
• 3966521 chore: remove extra cache-related metric (#​2296)
• 662bc8e docs(v1.8.7): add v1.8.7 release notes to CHANGELOG (#​2302)
• 49259cf feat: add storage.ErrTransactionThrottled and associated server error (#​2304)
• bd07635 feat: creates PassthroughError type to proxy errors through FGA (#​2303)
• 2835b02 fix: add ttu recursive matrix tests (#​2297)
• 7f87fbe perf: recursive userset v2 (#​2270)
• 718c126 perf: use string iterators rather than tuple iterators (#​2300)

v1.8.6

Compare Source

Added

Added cachecontroller_cache_invalidation_count metric to track invalidation operations. https://github.com/openfga/openfga/pull/2282

Full changelog

Changelog

• bf1744a chore(deps): bump the dependencies group across 1 directory with 8 updates (#​2288)
• 728a148 chore(deps): bump the dependencies group across 1 directory with 8 updates (#​2289)
• 93568f7 chore: dry run goreleaser on PRs to main (#​2286)
• 15a9cb8 chore: update changelog in prep for v1.8.6 (#​2291)
• 70e70e6 feat: add cachecontroller_cache_invalidation_count metric (#​2282)

v1.8.5

Compare Source

Added

• Improve Check performance for sub-problems when caching is enabled #​2193.
• Improve Check performance for relations involving public wildcard. Enable via experimental flag enable-check-optimizations. #​2180.
• Improve Check API performance when experimental flag enable-check-optimizations is turned on and contextual tuples are involved. #​2150
• Added metrics to track invalid cache hits: check_cache_invalid_hit_count and tuples_iterator_cache_invalid_hit_count #​2222.
• Move Check performance optimizations out of experimental mode: shortcutting based on path, recursive userset fast path, and recursive TTU fast path. #​2236
• Improve Check API performance when experimental flag enable-check-optimizations is turned on and the model contains union of a TTU and algebraic operations. #​2200
• Implement dynamic TLS certificate reloading for HTTP and gRPC servers. #​2182
• Publicize check.RunMatrixTests method to allow testing against any ClientInterface. #​2267.

Changed

• Performance optimizations for string operations and memory allocations across the codebase #​2238 and #​2241
• Update to Go 1.23 as the min supported version and bump the container image to go1.23.6
  We follow Go's version support policy and will only support the latest two major versions of Go. Now that Go 1.24 is out, we have dropped support for Go < 1.23.

Fixed

• Optimized database dialect handling by setting it during initialization instead of per-call, fixing SQL syntax errors in MySQL #​2252
• Fixed incorrect invalidation by cache controller on cache iterator. #​2190, #​2216
• Fixed incorrect types in configuration JSON schema #​2217, #​2228.
• Fixed BatchCheck API to validate presence of the tuple_key property of a BatchCheckItem #​2242
• Fixed incorrect check and list objects evaluation when model has a relation directly assignable to both public access AND userset with the same type and type bound public access tuple is assigned to the object. CVE-2025-25196

v1.8.4

Compare Source

Fixed

• Fixed missing binding between flags and environment variables for the cache controller feature #​2184
• Fixed Read API to validate user field and assert presence of both type and value. #​2195

Security

• Address CVE-2024-56323 - an issue affecting Check and ListObjects results for users using Conditions in Contextual Tuples. Please see the CVE report for more details.

Full changelog: [1.8.3...1.8.4]

Changelog

• 67dcf3d avoid mutating reference input (#​2203)
• ab3ed12 chore(deps): bump go.opentelemetry.io/proto/otlp from 1.4.0 to 1.5.0 in the dependencies group (#​2192)
• 9ec0ab1 chore: bump api to bring fix for read api validation (#​2195)
• a19aeca chore: introduce new ordered combined iterator (#​2197)
• f05b67a chore: remove dead cache key code (#​2206)
• 67206f1 chore: replace sprintf in cache code (#​2207)
• 4bf4c88 fix: cache-controller flags not respecting the environment variables (#​2184)
• a4491e4 fix: iterator need to be flushed after invalidation (#​2198)
• e1d332f rework cache key hash generation (#​2194)

v1.8.3

Compare Source

Added

• Improve Check performance for Userset relationships that include set operations. Enable via experimental flag enable-check-optimizations. #​2140
• Add name as a filter to ListStores. The name parameter instructs the API to only include results that match that name. #​2103
• Additional guard against nil context at the time of server initialization #​2187

Fixed

• Ensure Check Cache Key considers contextual_tuple conditions and their contexts #​2160.

New Contributors

• @​kalleep made their first contribution in https://github.com/openfga/openfga/pull/2103

Full Changelog: openfga/openfga@v1.8.2...v1.8.3

v1.8.2

Compare Source

Added

• Add metrics cachecontroller_find_changes_and_invalidate_histogram on latency for cache controller in finding changes and invalidating. #​2135
• Improve Check performance when cache controller is enabled by invalidating iterator and sub-problem cache asynchronously when read changes API indicates there are recent writes/deletes for the store. #​2124
• Improve check cache key generation performance via strings.Builder #​2161.

Fixed

• Labels of metrics that went past the max histogram bucket are now labelled "+Inf" instead of ">max". #​2146
• Prevent possible data races by waiting for in-flight cached iterator goroutines during server shutdown #​2145
• Correct incorrect check result returned when using experimental flag enable-check-optimizations and model has intersection or exclusion within a TTU or Userset. #​2157

Full changelog

v1.8.1

Compare Source

Added

• New flag OPENFGA_CHECK_ITERATOR_TTL. Please see the flag description (./openfga run --help) for more details. #​2082
• New flag OPENFGA_CHECK_CACHE_LIMIT. Please see the flag description (./openfga run --help) for more details. #​2082
• Improve Check performance for TTU relationships that include set operations. Enable via experimental flag enable-check-optimizations. #​2075
• Add a field in log entries when authz calls were made. #​2130
• Add Duration to ResolveCheckResponseMetadata for use in metrics. #​2139
• Add check_duration_ms metric to server package to enable measurement of check across different API methods. #​2139
• Added deduplication logic to BatchCheck API. #​2102

Changed

• OIDC token validation will now exclusively throw error code 1004 for invalid tokens. #​1999

Removed

• Begin deprecation process for flag OPENFGA_CHECK_QUERY_CACHE_LIMIT, in favor of OPENFGA_CHECK_CACHE_LIMIT. #​2082
• Removed flags with the OPENFGA_DISPATCH_THROTTLING_* name. #​2083

Fixed

• Improve Check performance in the case that the query involves types that cannot be reached from the source. Enable via experimental flag enable-check-optimizations. #​2104
• Fix regression introduced in #​2091: error message for invalid Writes. #​2110
• Ensure /read and /list-objects respect the received Consistency values #​2113
• Fix access-control to always return unauthorized errors, and add logging for authorization failures 2129

Full changelog

v1.8.0

Compare Source

Added

• Added start_time parameter to ReadChanges API to allow filtering by specific time #​2020
• Added support for Contextual Tuples in the Expand API. #​2045
• Added a flag OPENFGA_CONTEXT_PROPAGATION_TO_DATASTORE to control propagation of a request's context to the datastore. #​1838
• Added OTEL measurement for access control store check latency and write latency due to authorization #​2069
• Added BatchCheck API which allows multiple check operations to be performed in a single request.
  It requires a unique correlation_id associated with each individual check to map each result to its associated tuple.
  For more details, see batch check docs #​2039.

Performance

• Improve Check performance in the case that the query involves resolving nested userset with type bound public access. Enable via experimental flag enable-check-optimizations. #​2063

Breaking changes

• The storage adapter ReadChanges's parameter ReadChangesOptions allows filtering by StartTime #​2020.
  As a part of the implementation, a new server setting called WithContinuationTokenSerializer was introduced.
  If you are using OpenFGA as a library, you will need to pass in either StringContinuationTokenSerializer, or SQLContinuationTokenSerializer, or implement your own (if you also have your own storage adapter)
• The storage adapter ReadPage return parameters changed from ([]*openfgav1.Tuple, []byte, error) to ([]*openfgav1.Tuple, string, error) #​2064
  If you are using a custom storage adapter or consume ReadPage func in your code, you will need to update the return type and/or handling of the ReadPage function.
• ErrMismatchObjectType error type removed from openfga package #​2064 as storage is not validating this anymore.
  Validation moved to ReadChangesQuery implementation.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 15 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.24 -> 1.24.2
github.com/openfga/language/pkg/go	v0.2.0-beta.2.0.20240926131254-992b301a003f -> v0.2.0-beta.2.0.20250220223040-ed0cfba54336
cel.dev/expr	v0.20.0 -> v0.23.1
github.com/google/cel-go	v0.22.0 -> v0.25.0
github.com/grpc-ecosystem/go-grpc-middleware/v2	v2.1.0 -> v2.3.1
github.com/grpc-ecosystem/grpc-gateway/v2	v2.22.0 -> v2.26.3
github.com/prometheus/client_golang	v1.20.5 -> v1.22.0
github.com/prometheus/common	v0.55.0 -> v0.62.0
github.com/prometheus/procfs	v0.15.1 -> v0.16.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace	v1.31.0 -> v1.35.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc	v1.31.0 -> v1.35.0
go.opentelemetry.io/otel/sdk	v1.34.0 -> v1.35.0
go.opentelemetry.io/proto/otlp	v1.3.1 -> v1.5.0
go.uber.org/mock	v0.5.0 -> v0.5.2
google.golang.org/genproto/googleapis/api	v0.0.0-20250218202821-56aae31c358a -> v0.0.0-20250303144028-a0af3efb3deb
google.golang.org/genproto/googleapis/rpc	v0.0.0-20250218202821-56aae31c358a -> v0.0.0-20250324211829-b45e905df463

[CLAassistant]

All committers have signed the CLA.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.