4 matches found
CVE-2026-55689
OpenFGA OpenID Connect authentication had a JWT audience validation bypass prior to 1.18.0 when authn.method=oidc, issuer configured, and authn.oidc.audience unset. This allowed a token minted for a different service by the same identity provider to authenticate to OpenFGA. The issue is fixed in ...
PT-2026-55297
Name of the Vulnerable Software and Affected Versions Dapr affected versions not specified Description Dapr Sentry's OIDC discovery endpoint /.well-known/openid-configuration derives the issuer and jwks uri from the request Host. When no allowed-hosts list is configured, the system honors an...
GHSA-HCXC-WF8J-23HV OpenFGA: OIDC audience validation skipped when --authn-oidc-audience is unset
Description OpenFGA's OIDC authenticator skipped JWT audience aud validation when no audience was configured. In deployments where one identity provider issues tokens for multiple services, a token minted for an unrelated service could authenticate to OpenFGA. Preconditions This applies if the...
OpenFGA: OIDC audience validation skipped when --authn-oidc-audience is unset
Description OpenFGA's OIDC authenticator skipped JWT audience aud validation when no audience was configured. In deployments where one identity provider issues tokens for multiple services, a token minted for an unrelated service could authenticate to OpenFGA. Preconditions This applies if the...