Incorrect authorization decisions due to case-insensitive comparisons in MySQL datastore
Summary
OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, when MySQL is being used as the datastore and authorization decisions rely on case-sensitive user strings, the tuple, changelog, and authorization_model identifier columns can compare case-distinct values such as user:Alice and user:alice as equivalent, causing two distinct check requests to return the same response. This issue is fixed in 1.18.0. This can lead to improper policy enforcement, where two different authorization requests might receive the same, unintended response, potentially affecting access controls. Red Hat does not ship OpenFGA as a standalone product. The affected code is bundled inside Grafana's experimental "Zanzana" authorization engine (which vendors github.com/openfga/openfga as a Go dependency), and Grafana itself is embedded in Red Hat Ceph Storage's dashboard, Red Hat Advanced Cluster Management, Multicluster Global Hub, and RHEL's grafana package. Zanzana is disabled by default in upstream Grafana (feature toggle zanzana=false, experimental) and none of these embedding products expose it as a supported, user-configurable OpenFGA/MySQL-backed authorization server, which significantly limits real-world exposure even though the vulnerable dependency ships as part of the bundled code. Red Hat severity: Moderate — CVSS 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).
- < 1.18.0
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Mitigation checklist
- No mitigation is required for the affected Red Hat products, since none of them expose Grafana's Zanzana/OpenFGA authorization engine as a supported, user-facing feature backed by MySQL. Operators running a standalone, self-configured OpenFGA deployment with MySQL as the datastore should upgrade to OpenFGA 1.18.0 or later, which changes the MySQL identifier columns to a case-sensitive (utf8mb4_bin) collation.
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.