346 matches found
CVE-2026-55170
A flaw was found in OpenFGA, an authorization/permission engine. When using MySQL as the datastore, and authorization decisions depend on case-sensitive user strings, the system may incorrectly treat case-distinct values e.g., 'user:Alice' and 'user:alice' as equivalent. This can lead to improper...
CVE-2026-55689
OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, when OpenFGA is configured to use OIDC authentication authn.method=oidc, authn.oidc.issuer set but authn.oidc.audience is left unset, the JWT audience claim on incoming bearer tokens is not validated. As a result...
Linux Distros Unpatched Vulnerability : CVE-2026-55170
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, when MySQL is being used as the datastore and authorization decisions rely ...
Linux Distros Unpatched Vulnerability : CVE-2026-55689
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, OpenFGA's OIDC authenticator skipped JWT audience validation when...
CVE-2026-55689
OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, OpenFGA's OIDC authenticator skipped JWT audience validation when authn.method was set to oidc, authn.oidc.issuer was configured, and authn.oidc.audience was not set, allowing a token minted for an unrelated...
CVE-2026-55170
OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, when MySQL is being used as the datastore and authorization decisions rely on case-sensitive user strings, the tuple, changelog, and authorizationmodel identifier columns can compare case-distinct values such as...
CVE-2026-55689
OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, OpenFGA's OIDC authenticator skipped JWT audience validation when authn.method was set to oidc, authn.oidc.issuer was configured, and authn.oidc.audience was not set, allowing a token minted for an unrelated...
CVE-2026-55689 OpenFGA: OIDC audience validation skipped when --authn-oidc-audience is unset
OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, OpenFGA's OIDC authenticator skipped JWT audience validation when authn.method was set to oidc, authn.oidc.issuer was configured, and authn.oidc.audience was not set, allowing a token minted for an unrelated...
CVE-2026-55689 OpenFGA: OIDC audience validation skipped when --authn-oidc-audience is unset
OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, OpenFGA's OIDC authenticator skipped JWT audience validation when authn.method was set to oidc, authn.oidc.issuer was configured, and authn.oidc.audience was not set, allowing a token minted for an unrelated...
CVE-2026-55689
OpenFGA’s OIDC authentication could accept tokens from the same identity provider for a different application when authn.method=oidc and authn.oidc.issuer is configured but authn.oidc.audience is unset (pre-1.18.0). This allowed unauthorized authentication to OpenFGA. The issue is fixed in OpenFG...
CVE-2026-55170
OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, when MySQL is being used as the datastore and authorization decisions rely on case-sensitive user strings, the tuple, changelog, and authorizationmodel identifier columns can compare case-distinct values such as...
CVE-2026-55170 OpenFGA MySQL backend: case-insensitive collation on identifier columns causes incorrect authorization decisions
OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, when MySQL is being used as the datastore and authorization decisions rely on case-sensitive user strings, the tuple, changelog, and authorizationmodel identifier columns can compare case-distinct values such as...
CVE-2026-55170 OpenFGA MySQL backend: case-insensitive collation on identifier columns causes incorrect authorization decisions
OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, when MySQL is being used as the datastore and authorization decisions rely on case-sensitive user strings, the tuple, changelog, and authorizationmodel identifier columns can compare case-distinct values such as...
CVE-2026-55170
OpenFGA Open Source CVE-2026-55170 affects the MySQL datastore when decisions rely on case-sensitive user strings. The tuple, changelog, and authorization_model identifier columns can treat case-distinct values (e.g., user:Alice vs user:alice) as equivalent, potentially causing two distinct check...
GO-2026-5423 OpenFGA: OIDC audience validation skipped when --authn-oidc-audience is unset in github.com/openfga/openfga
OpenFGA: OIDC audience validation skipped when --authn-oidc-audience is unset in github.com/openfga/openfga...
GO-2026-5483 OpenFGA's BatchCheck within-request deduplication produces incorrect authorization decisions via list-value cache-key collision in github.com/openfga/openfga
OpenFGA's BatchCheck within-request deduplication produces incorrect authorization decisions via list-value cache-key collision in github.com/openfga/openfga...
GO-2026-5322 OpenFGA Improper Policy Enforcement in github.com/openfga/openfga
OpenFGA Improper Policy Enforcement in github.com/openfga/openfga...
GO-2026-5239 OpenFGA has cache-key delimiter injection in shared-iterator and v2 iterator that caches enables intra-store authorization-decision poisoning in github.com/openfga/openfga
OpenFGA has cache-key delimiter injection in shared-iterator and v2 iterator that caches enables intra-store authorization-decision poisoning in github.com/openfga/openfga...
GO-2026-5136 OpenFGA has Improper Policy Enforcement in github.com/openfga/openfga
OpenFGA has Improper Policy Enforcement in github.com/openfga/openfga...
GO-2026-5170 OpenFGA: Unauthenticated playground endpoint discloses preshared API key in HTML response in github.com/openfga/openfga
OpenFGA: Unauthenticated playground endpoint discloses preshared API key in HTML response in github.com/openfga/openfga...