2 matches found
CVE-2026-55689
OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, OpenFGA's OIDC authenticator skipped JWT audience validation when authn.method was set to oidc, authn.oidc.issuer was configured, and authn.oidc.audience was not set, allowing a token minted for an unrelated...
PT-2026-50974
Name of the Vulnerable Software and Affected Versions OpenFGA versions prior to 1.18.0 Description The OIDC authenticator fails to validate the JWT audience aud claim when no audience is configured. In environments where a single identity provider issues tokens for multiple services, a token...