3 matches found
CVE-2026-40293
OpenFGA prior to v1.14.0 (versions 0.1.4–1.13.1) with preshared authentication and enabled playground exposes the preshared API key in the HTML response of the /playground endpoint, which is unauthenticated and accessible beyond localhost/trusted networks. This is the core issue described in GO-2...
CVE-2026-40293 OpenFGA Playground Preshared Key Exposure
OpenFGA is an authorization/permission engine built for developers. In versions 0.1.4 through 1.13.1, when OpenFGA is configured to use preshared-key authentication with the built-in playground enabled, the local server includes the preshared API key in the HTML response of the /playground...
GHSA-68M9-983M-F3V5 OpenFGA: Unauthenticated playground endpoint discloses preshared API key in HTML response
Description When OpenFGA is configured to use preshared-key authentication with the built-in playground enabled, the local server includes the preshared API key in the HTML response of the /playground endpoint. The /playground endpoint is enabled by default and does not require authentication. It...