Authorization Engine Vulnerability in OpenFGA by OpenFGA
CVE-2026-55689

6.8MEDIUM

Key Information:

Vendor

Openfga

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-55689?

OpenFGA is an authorization engine designed for developers, and it contains a vulnerability where the OIDC authenticator fails to validate the JWT audience correctly. This issue arises when the authentication method is set to OIDC, and both an issuer is configured while the audience is not set. As a result, tokens issued for unrelated services by the same identity provider can incorrectly authenticate to OpenFGA, creating a significant security risk. The problem has been addressed in version 1.18.0, which now enforces proper audience validation.

Affected Version(s)

openfga < 1.18.0

References

CVSS V3.1

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.