339 matches found
CVE-2026-55170
A flaw was found in OpenFGA, an authorization/permission engine. When using MySQL as the datastore, and authorization decisions depend on case-sensitive user strings, the system may incorrectly treat case-distinct values e.g., 'user:Alice' and 'user:alice' as equivalent. This can lead to improper...
CVE-2026-55689
OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, when OpenFGA is configured to use OIDC authentication authn.method=oidc, authn.oidc.issuer set but authn.oidc.audience is left unset, the JWT audience claim on incoming bearer tokens is not validated. As a result...
CVE-2026-55689
OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, OpenFGA's OIDC authenticator skipped JWT audience validation when authn.method was set to oidc, authn.oidc.issuer was configured, and authn.oidc.audience was not set, allowing a token minted for an unrelated...
CVE-2026-55170
OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, when MySQL is being used as the datastore and authorization decisions rely on case-sensitive user strings, the tuple, changelog, and authorizationmodel identifier columns can compare case-distinct values such as...
CVE-2026-55689
OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, OpenFGA's OIDC authenticator skipped JWT audience validation when authn.method was set to oidc, authn.oidc.issuer was configured, and authn.oidc.audience was not set, allowing a token minted for an unrelated...
CVE-2026-55689 OpenFGA: OIDC audience validation skipped when --authn-oidc-audience is unset
OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, OpenFGA's OIDC authenticator skipped JWT audience validation when authn.method was set to oidc, authn.oidc.issuer was configured, and authn.oidc.audience was not set, allowing a token minted for an unrelated...
CVE-2026-55689
OpenFGA OpenID Connect authentication had a JWT audience validation bypass prior to 1.18.0 when authn.method=oidc, issuer configured, and authn.oidc.audience unset. This allowed a token minted for a different service by the same identity provider to authenticate to OpenFGA. The issue is fixed in ...
CVE-2026-55170
OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, when MySQL is being used as the datastore and authorization decisions rely on case-sensitive user strings, the tuple, changelog, and authorizationmodel identifier columns can compare case-distinct values such as...
CVE-2026-55170
CVE-2026-55170 affects OpenFGA when using MySQL as the datastore prior to 1.18.0. Case-insensitive/case-distinct comparisons on the tuple, changelog, and authorization_model identifier columns can cause values like user:Alice and user:alice to be treated as equivalent, making two distinct check r...
CVE-2026-55170 OpenFGA MySQL backend: case-insensitive collation on identifier columns causes incorrect authorization decisions
OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, when MySQL is being used as the datastore and authorization decisions rely on case-sensitive user strings, the tuple, changelog, and authorizationmodel identifier columns can compare case-distinct values such as...
GO-2026-5483 OpenFGA's BatchCheck within-request deduplication produces incorrect authorization decisions via list-value cache-key collision in github.com/openfga/openfga
OpenFGA's BatchCheck within-request deduplication produces incorrect authorization decisions via list-value cache-key collision in github.com/openfga/openfga...
GO-2026-5423 OpenFGA: OIDC audience validation skipped when --authn-oidc-audience is unset in github.com/openfga/openfga
OpenFGA: OIDC audience validation skipped when --authn-oidc-audience is unset in github.com/openfga/openfga...
GO-2026-5322 OpenFGA Improper Policy Enforcement in github.com/openfga/openfga
OpenFGA Improper Policy Enforcement in github.com/openfga/openfga...
GO-2026-5239 OpenFGA has cache-key delimiter injection in shared-iterator and v2 iterator that caches enables intra-store authorization-decision poisoning in github.com/openfga/openfga
OpenFGA has cache-key delimiter injection in shared-iterator and v2 iterator that caches enables intra-store authorization-decision poisoning in github.com/openfga/openfga...
GO-2026-5136 OpenFGA has Improper Policy Enforcement in github.com/openfga/openfga
OpenFGA has Improper Policy Enforcement in github.com/openfga/openfga...
GO-2026-5170 OpenFGA: Unauthenticated playground endpoint discloses preshared API key in HTML response in github.com/openfga/openfga
OpenFGA: Unauthenticated playground endpoint discloses preshared API key in HTML response in github.com/openfga/openfga...
OpenFGA: OIDC audience validation skipped when --authn-oidc-audience is unset
Description OpenFGA's OIDC authenticator skipped JWT audience aud validation when no audience was configured. In deployments where one identity provider issues tokens for multiple services, a token minted for an unrelated service could authenticate to OpenFGA. Preconditions This applies if the...
GHSA-HCXC-WF8J-23HV OpenFGA: OIDC audience validation skipped when --authn-oidc-audience is unset
Description OpenFGA's OIDC authenticator skipped JWT audience aud validation when no audience was configured. In deployments where one identity provider issues tokens for multiple services, a token minted for an unrelated service could authenticate to OpenFGA. Preconditions This applies if the...
PT-2026-50974
Name of the Vulnerable Software and Affected Versions OpenFGA versions prior to 1.18.0 Description The OIDC authenticator fails to validate the JWT audience aud claim when no audience is configured. In environments where a single identity provider issues tokens for multiple services, a token...
GHSA-CF98-J28V-49V6 OpenFGA Improper Policy Enforcement
Description In OpenFGA, when MySQL is being used as the datastore, two distinct check requests can return the same response. Preconditions This applies if the following preconditions are met: 1. You run OpenFGA with MySQL as the datastore 2. Your authorization decisions rely on case-sensitive use...