Lucene search
K

4 matches found

CVE
CVE
added yesterday40 views

CVE-2026-55689

OpenFGA OpenID Connect authentication had a JWT audience validation bypass prior to 1.18.0 when authn.method=oidc, issuer configured, and authn.oidc.audience unset. This allowed a token minted for a different service by the same identity provider to authenticate to OpenFGA. The issue is fixed in ...

6.8CVSS6AI score
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.13 views

PT-2026-55297

Name of the Vulnerable Software and Affected Versions Dapr affected versions not specified Description Dapr Sentry's OIDC discovery endpoint /.well-known/openid-configuration derives the issuer and jwks uri from the request Host. When no allowed-hosts list is configured, the system honors an...

8.2CVSS6AI score0.00246EPSS
Exploits0References8
OSV
OSV
added 2026/06/19 2:35 p.m.7 views

GHSA-HCXC-WF8J-23HV OpenFGA: OIDC audience validation skipped when --authn-oidc-audience is unset

Description OpenFGA's OIDC authenticator skipped JWT audience aud validation when no audience was configured. In deployments where one identity provider issues tokens for multiple services, a token minted for an unrelated service could authenticate to OpenFGA. Preconditions This applies if the...

6.8CVSS5.8AI score
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/19 2:35 p.m.11 views

OpenFGA: OIDC audience validation skipped when --authn-oidc-audience is unset

Description OpenFGA's OIDC authenticator skipped JWT audience aud validation when no audience was configured. In deployments where one identity provider issues tokens for multiple services, a token minted for an unrelated service could authenticate to OpenFGA. Preconditions This applies if the...

6.8CVSS5.8AI score
Exploits0References2Affected Software1
Rows per page
Query Builder