2 matches found
CVE-2026-40293
OpenFGA prior to v1.14.0 (versions 0.1.4–1.13.1) with preshared authentication and enabled playground exposes the preshared API key in the HTML response of the /playground endpoint, which is unauthenticated and accessible beyond localhost/trusted networks. This is the core issue described in GO-2...
GHSA-68M9-983M-F3V5 OpenFGA: Unauthenticated playground endpoint discloses preshared API key in HTML response
Description When OpenFGA is configured to use preshared-key authentication with the built-in playground enabled, the local server includes the preshared API key in the HTML response of the /playground endpoint. The /playground endpoint is enabled by default and does not require authentication. It...