Case Sensitivity Vulnerability in OpenFGA Authorization Engine
CVE-2026-55170

2.1LOW

Key Information:

Vendor

Openfga

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-55170?

OpenFGA, an authorization engine designed for developers, is susceptible to a case sensitivity flaw when using MySQL as its datastore. In versions prior to 1.18.0, the system fails to differentiate between case-distinct user identifiers; for instance, 'user:Alice' is treated the same as 'user:alice'. This misconfiguration can lead to erroneous authorization decisions, where two distinct check requests yield identical results. The issue has been resolved in version 1.18.0, ensuring that case sensitivity in user identifiers is appropriately respected.

Affected Version(s)

openfga < 1.18.0

References

CVSS V4

Score:
2.1
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.