RATATOSKRATATOSK
Sign in

OpenFGA

v1.18.1Security
Jun 30, 2026

v1.18.1 is a routine patch that fixes CIDR matching behavior and serialization determinism while extending an experimental flag to BatchCheck. No breaking changes or CVEs are reported, though the in_cidr fix does change matching behavior for IPv4-mapped IPv6 addresses.

  • breakingin_cidr now matches IPv4-mapped IPv6 addresses against IPv4 CIDRs

    Applies unconditionally: the in_cidr condition now normalizes IPv4-mapped IPv6 addresses (e.g. ::ffff:192.168.1.1) to their IPv4 form before matching, so they can now match IPv4 CIDRs like 192.168.1.0/24. Review any authorization models relying on in_cidr if you expect these addresses to be excluded from IPv4 ranges.

Key changes (4)

  • in_cidr condition now normalizes IPv4-mapped IPv6 addresses (RFC 4291 §2.5.5.2) to their IPv4 equivalent, so ::ffff:192.168.1.1 matches 192.168.1.0/24
  • Adds diagnostic logging in weighted_graph_check, Expand, and ListUsers to flag models where a future v2 Check resolution might diverge from v1; no operator action required now
  • Experimental weighted_graph_check flag now extends to BatchCheck, evaluating each item with the weighted graph algorithm and falling back per-item to the standard algorithm on non-terminal errors
  • Authorization model serialization to serialized_protobuf now uses deterministic proto marshaling, fixing inconsistent stored bytes for models with map-keyed type definitions