5 matches found
CVE-2025-25196
CVE-2025-25196 concerns OpenFGA (< v1.8.4; Helm chart < openfga-0.2.22; docker
CVE-2026-55689
OpenFGA’s OIDC authentication could accept tokens from the same identity provider for a different application when authn.method=oidc and authn.oidc.issuer is configured but authn.oidc.audience is unset (pre-1.18.0). This allowed unauthorized authentication to OpenFGA. The issue is fixed in OpenFG...
CVE-2026-48096
OpenFGA: The CVE affects the OpenFGA authorization engine prior to v1.16.0 due to an issue with iterator caching where two distinct check requests could produce the same cache key, causing reuse of an earlier cached result. The root cause is described as a cache-key issue in the shared-iterator a...
CVE-2026-55170
OpenFGA Open Source CVE-2026-55170 affects the MySQL datastore when decisions rely on case-sensitive user strings. The tuple, changelog, and authorization_model identifier columns can treat case-distinct values (e.g., user:Alice vs user:alice) as equivalent, potentially causing two distinct check...
CVE-2026-41131
CVE-2026-41131 affects OpenFGA prior to version 1.14.1. In scenarios where models use conditions with caching enabled, two distinct check requests can yield the same cache key, causing an earlier cached result to be reused for a later request. Preconditions: the model has relations that rely on c...