Case Sensitivity Vulnerability in OpenFGA Authorization Engine
CVE-2026-55170
2.1LOW
What is CVE-2026-55170?
OpenFGA, an authorization engine designed for developers, is susceptible to a case sensitivity flaw when using MySQL as its datastore. In versions prior to 1.18.0, the system fails to differentiate between case-distinct user identifiers; for instance, 'user:Alice' is treated the same as 'user:alice'. This misconfiguration can lead to erroneous authorization decisions, where two distinct check requests yield identical results. The issue has been resolved in version 1.18.0, ensuring that case sensitivity in user identifiers is appropriately respected.
Affected Version(s)
openfga < 1.18.0
