Lucene search
+L

346 matches found

cvelist
cvelist
added 2026/04/17 8:47 p.m.27 views

CVE-2026-40293 OpenFGA Playground Preshared Key Exposure

OpenFGA is an authorization/permission engine built for developers. In versions 0.1.4 through 1.13.1, when OpenFGA is configured to use preshared-key authentication with the built-in playground enabled, the local server includes the preshared API key in the HTML response of the /playground...

6.5CVSS0.00286EPSS
Exploits0References2
cve
cve
added 2026/04/17 8:47 p.m.31 views

CVE-2026-40293

OpenFGA prior to v1.14.0 (versions 0.1.4–1.13.1) with preshared authentication and enabled playground exposes the preshared API key in the HTML response of the /playground endpoint, which is unauthenticated and accessible beyond localhost/trusted networks. This is the core issue described in GO-2...

7.5CVSS5.7AI score0.00286EPSS
Exploits0References8Affected Software1
osv
osv
added 2026/04/17 8:47 p.m.4 views

CVE-2026-40293 OpenFGA Playground Preshared Key Exposure

OpenFGA is an authorization/permission engine built for developers. In versions 0.1.4 through 1.13.1, when OpenFGA is configured to use preshared-key authentication with the built-in playground enabled, the local server includes the preshared API key in the HTML response of the /playground...

6.5CVSS5.9AI score0.00286EPSS
Exploits0References10
cnnvd
cnnvd
added 2026/04/17 12:0 a.m.9 views

OpenFGA 安全漏洞

OpenFGA is an open-source authorization/licensing engine built for developers, inspired by Google Zanzibar. Versions of OpenFGA from 0.1.4 to 1.13.1 contain security vulnerabilities. These vulnerabilities stem from the fact that the playground endpoint responses include pre-shared API keys, which...

6.5CVSS5.8AI score0.00286EPSS
Exploits0References1
wolfi
wolfi
added 2026/04/15 1:48 p.m.11 views

CVE-2026-40293 vulnerabilities

Vulnerabilities for packages: openfga, grafana...

7.5CVSS6.1AI score0.00286EPSS
Exploits0
snyk
snyk
added 2026/04/08 9:51 p.m.3 views

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure via the runPlaygroundServer process in cmd/run/run.go and the playground configuration in pkg/server/config/config.go. An attacker can recover the preshared API key by sending an unauthenticated request to the...

7.5CVSS5.8AI score0.00286EPSS
Exploits0References2
osv
osv
added 2026/04/08 9:51 p.m.15 views

GHSA-68M9-983M-F3V5 OpenFGA: Unauthenticated playground endpoint discloses preshared API key in HTML response

Description When OpenFGA is configured to use preshared-key authentication with the built-in playground enabled, the local server includes the preshared API key in the HTML response of the /playground endpoint. The /playground endpoint is enabled by default and does not require authentication. It...

6.5CVSS5.8AI score0.00286EPSS
Exploits0References4
ptsecurity
ptsecurity
added 2026/04/08 12:0 a.m.13 views

PT-2026-32978

Name of the Vulnerable Software and Affected Versions OpenFGA versions 0.1.4 through 1.13.1 Description When configured to use preshared-key authentication with the built-in playground enabled, the local server includes the preshared API key in the HTML response of the '/playground' endpoint. Thi...

7.5CVSS5.9AI score0.00286EPSS
Exploits0References18
euvd
euvd
added 2026/04/07 6:5 p.m.4 views

EUVD-2026-19486

OpenFGA's BatchCheck within-request deduplication produces incorrect authorization decisions via list-value cache-key collision...

5CVSS5.9AI score0.00211EPSS
Exploits0References2
osv
osv
added 2026/04/07 6:5 p.m.15 views

GHSA-JWVJ-G8PC-CX45 OpenFGA's BatchCheck within-request deduplication produces incorrect authorization decisions via list-value cache-key collision

Description In OpenFGA, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in improper policy enforcement. Am I affected? You are affected if you meet the following preconditions: 1. You execute BatchCheck operation...

5CVSS5.9AI score0.00211EPSS
Exploits0References3
github
github
added 2026/04/07 6:5 p.m.7 views

OpenFGA's BatchCheck within-request deduplication produces incorrect authorization decisions via list-value cache-key collision

Description In OpenFGA, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in improper policy enforcement. Am I affected? You are affected if you meet the following preconditions: 1. You execute BatchCheck operation...

8.8CVSS6AI score0.00211EPSS
Exploits0References3Affected Software1
redhatcve
redhatcve
added 2026/04/07 4:7 a.m.2 views

CVE-2026-34972

A flaw was found in OpenFGA, a high-performance authorization engine. Under specific conditions, a user making BatchCheck calls with multiple checks for the same object, relation, and user combination can trigger improper policy enforcement. This can lead to incorrect authorization decisions,...

8.8CVSS5.8AI score0.00211EPSS
Exploits0References4
nvd
nvd
added 2026/04/06 9:16 p.m.5 views

CVE-2026-34972

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. From 1.8.0 to 1.13.1, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in improper...

8.8CVSS0.00211EPSS
Exploits0References1
attackerkb
attackerkb
added 2026/04/06 8:41 p.m.3 views

CVE-2026-34972

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. From 1.8.0 to 1.13.1, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in improper...

5CVSS5.9AI score0.00211EPSS
Exploits0References2Affected Software1
cvelist
cvelist
added 2026/04/06 8:41 p.m.18 views

CVE-2026-34972 OpenFGA's BatchCheck within-request deduplication produces incorrect authorization decisions via list-value cache-key collision

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. From 1.8.0 to 1.13.1, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in improper...

5CVSS0.00211EPSS
Exploits0References1
vulnrichment
vulnrichment
added 2026/04/06 8:41 p.m.3 views

CVE-2026-34972 OpenFGA's BatchCheck within-request deduplication produces incorrect authorization decisions via list-value cache-key collision

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. From 1.8.0 to 1.13.1, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in improper...

5CVSS5.9AI score0.00211EPSS
Exploits0References1
cve
cve
added 2026/04/06 8:41 p.m.21 views

CVE-2026-34972

OpenFGA vulnerability CVE-2026-34972 affects OpenFGA versions 1.8.0 through 1.13.1. The issue arises when BatchCheck is invoked with multiple checks for the same object, relation, and user, leading to improper policy enforcement. It is resolved in version 1.14.0. CVSS metrics indicate high impact...

8.8CVSS5.9AI score0.00211EPSS
Exploits0References1Affected Software2
osv
osv
added 2026/04/06 8:41 p.m.3 views

CVE-2026-34972 OpenFGA's BatchCheck within-request deduplication produces incorrect authorization decisions via list-value cache-key collision

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. From 1.8.0 to 1.13.1, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in improper...

5CVSS5.9AI score0.00211EPSS
Exploits0References3
ptsecurity
ptsecurity
added 2026/04/06 12:0 a.m.4 views

PT-2026-30732

Name of the Vulnerable Software and Affected Versions OpenFGA versions 1.8.0 through 1.13.1 Description OpenFGA is an authorization/permission engine. BatchCheck calls with multiple checks for the same object, relation, and user can lead to improper policy enforcement under specific conditions...

8.8CVSS5.9AI score0.00211EPSS
Exploits0References7
cnnvd
cnnvd
added 2026/04/06 12:0 a.m.11 views

OpenFGA 安全漏洞

OpenFGA is an open-source tool built for developers, inspired by Google Zanzibar. It’s a high-performance and flexible authorization/licensing engine. Versions of OpenFGA from 1.8.0 to 1.13.1 have security vulnerabilities. These vulnerabilities arise from calls to the BatchCheck function under...

8.8CVSS5.9AI score0.00211EPSS
Exploits0References1
Rows per page
Query Builder