Lucene search
K

338 matches found

RedhatCVE
RedhatCVE
added 3 days ago5 views

CVE-2026-55170

A flaw was found in OpenFGA, an authorization/permission engine. When using MySQL as the datastore, and authorization decisions depend on case-sensitive user strings, the system may incorrectly treat case-distinct values e.g., 'user:Alice' and 'user:alice' as equivalent. This can lead to improper...

5.4CVSS6AI score0.00341EPSS
Exploits0References8
RedhatCVE
RedhatCVE
added 3 days ago8 views

CVE-2026-55689

OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, when OpenFGA is configured to use OIDC authentication authn.method=oidc, authn.oidc.issuer set but authn.oidc.audience is left unset, the JWT audience claim on incoming bearer tokens is not validated. As a result...

6.8CVSS6.1AI score0.00298EPSS
Exploits0References8
NVD
NVD
added 4 days ago6 views

CVE-2026-55689

OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, OpenFGA's OIDC authenticator skipped JWT audience validation when authn.method was set to oidc, authn.oidc.issuer was configured, and authn.oidc.audience was not set, allowing a token minted for an unrelated...

6.8CVSS0.00298EPSS
Exploits0References5
NVD
NVD
added 4 days ago5 views

CVE-2026-55170

OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, when MySQL is being used as the datastore and authorization decisions rely on case-sensitive user strings, the tuple, changelog, and authorizationmodel identifier columns can compare case-distinct values such as...

2.1CVSS0.00341EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 4 days ago6 views

CVE-2026-55689

OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, OpenFGA's OIDC authenticator skipped JWT audience validation when authn.method was set to oidc, authn.oidc.issuer was configured, and authn.oidc.audience was not set, allowing a token minted for an unrelated...

6.8CVSS6AI score0.00298EPSS
Exploits0References6Affected Software1
Cvelist
Cvelist
added 4 days ago32 views

CVE-2026-55689 OpenFGA: OIDC audience validation skipped when --authn-oidc-audience is unset

OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, OpenFGA's OIDC authenticator skipped JWT audience validation when authn.method was set to oidc, authn.oidc.issuer was configured, and authn.oidc.audience was not set, allowing a token minted for an unrelated...

6.8CVSS0.00298EPSS
Exploits0References5
CVE
CVE
added 4 days ago49 views

CVE-2026-55689

OpenFGA OpenID Connect authentication had a JWT audience validation bypass prior to 1.18.0 when authn.method=oidc, issuer configured, and authn.oidc.audience unset. This allowed a token minted for a different service by the same identity provider to authenticate to OpenFGA. The issue is fixed in ...

6.8CVSS6AI score0.00298EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 4 days ago6 views

CVE-2026-55170

OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, when MySQL is being used as the datastore and authorization decisions rely on case-sensitive user strings, the tuple, changelog, and authorizationmodel identifier columns can compare case-distinct values such as...

2.1CVSS5.9AI score0.00341EPSS
Exploits0References6Affected Software1
CVE
CVE
added 4 days ago19 views

CVE-2026-55170

CVE-2026-55170 affects OpenFGA when using MySQL as the datastore prior to 1.18.0. Case-insensitive/case-distinct comparisons on the tuple, changelog, and authorization_model identifier columns can cause values like user:Alice and user:alice to be treated as equivalent, making two distinct check r...

2.1CVSS5.9AI score0.00341EPSS
Exploits0References5
Cvelist
Cvelist
added 4 days ago30 views

CVE-2026-55170 OpenFGA MySQL backend: case-insensitive collation on identifier columns causes incorrect authorization decisions

OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, when MySQL is being used as the datastore and authorization decisions rely on case-sensitive user strings, the tuple, changelog, and authorizationmodel identifier columns can compare case-distinct values such as...

2.1CVSS0.00341EPSS
Exploits0References5
OSV
OSV
added 2026/06/25 10:34 p.m.10 views

GO-2026-5483 OpenFGA's BatchCheck within-request deduplication produces incorrect authorization decisions via list-value cache-key collision in github.com/openfga/openfga

OpenFGA's BatchCheck within-request deduplication produces incorrect authorization decisions via list-value cache-key collision in github.com/openfga/openfga...

8.8CVSS5.8AI score0.00211EPSS
Exploits0References2
OSV
OSV
added 2026/06/25 10:34 p.m.5 views

GO-2026-5423 OpenFGA: OIDC audience validation skipped when --authn-oidc-audience is unset in github.com/openfga/openfga

OpenFGA: OIDC audience validation skipped when --authn-oidc-audience is unset in github.com/openfga/openfga...

6.8CVSS5.8AI score0.00298EPSS
Exploits0References1
OSV
OSV
added 2026/06/25 6:43 p.m.4 views

GO-2026-5322 OpenFGA Improper Policy Enforcement in github.com/openfga/openfga

OpenFGA Improper Policy Enforcement in github.com/openfga/openfga...

2.1CVSS5.8AI score0.00341EPSS
Exploits0References1
OSV
OSV
added 2026/06/25 6:26 p.m.4 views

GO-2026-5136 OpenFGA has Improper Policy Enforcement in github.com/openfga/openfga

OpenFGA has Improper Policy Enforcement in github.com/openfga/openfga...

5CVSS5.8AI score0.00145EPSS
Exploits0References3
OSV
OSV
added 2026/06/25 6:26 p.m.5 views

GO-2026-5170 OpenFGA: Unauthenticated playground endpoint discloses preshared API key in HTML response in github.com/openfga/openfga

OpenFGA: Unauthenticated playground endpoint discloses preshared API key in HTML response in github.com/openfga/openfga...

7.5CVSS5.8AI score0.00286EPSS
Exploits0References3
OSV
OSV
added 2026/06/19 2:35 p.m.7 views

GHSA-HCXC-WF8J-23HV OpenFGA: OIDC audience validation skipped when --authn-oidc-audience is unset

Description OpenFGA's OIDC authenticator skipped JWT audience aud validation when no audience was configured. In deployments where one identity provider issues tokens for multiple services, a token minted for an unrelated service could authenticate to OpenFGA. Preconditions This applies if the...

6.8CVSS5.8AI score0.00298EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/19 2:35 p.m.11 views

OpenFGA: OIDC audience validation skipped when --authn-oidc-audience is unset

Description OpenFGA's OIDC authenticator skipped JWT audience aud validation when no audience was configured. In deployments where one identity provider issues tokens for multiple services, a token minted for an unrelated service could authenticate to OpenFGA. Preconditions This applies if the...

6.8CVSS5.8AI score0.00298EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/19 12:0 a.m.20 views

PT-2026-50974

Name of the Vulnerable Software and Affected Versions OpenFGA versions prior to 1.18.0 Description The OIDC authenticator fails to validate the JWT audience aud claim when no audience is configured. In environments where a single identity provider issues tokens for multiple services, a token...

6.8CVSS5.8AI score0.00298EPSS
Exploits0References9
OSV
OSV
added 2026/06/18 3:5 p.m.6 views

GHSA-CF98-J28V-49V6 OpenFGA Improper Policy Enforcement

Description In OpenFGA, when MySQL is being used as the datastore, two distinct check requests can return the same response. Preconditions This applies if the following preconditions are met: 1. You run OpenFGA with MySQL as the datastore 2. Your authorization decisions rely on case-sensitive use...

2.1CVSS5.4AI score0.00341EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/18 3:5 p.m.13 views

OpenFGA Improper Policy Enforcement

Description In OpenFGA, when MySQL is being used as the datastore, two distinct check requests can return the same response. Preconditions This applies if the following preconditions are met: 1. You run OpenFGA with MySQL as the datastore 2. Your authorization decisions rely on case-sensitive use...

2.1CVSS5.3AI score0.00341EPSS
Exploits0References2Affected Software1
Rows per page
Query Builder