Authorization Engine Vulnerability in OpenFGA by OpenFGA
CVE-2026-55689
6.8MEDIUM
What is CVE-2026-55689?
OpenFGA is an authorization engine designed for developers, and it contains a vulnerability where the OIDC authenticator fails to validate the JWT audience correctly. This issue arises when the authentication method is set to OIDC, and both an issuer is configured while the audience is not set. As a result, tokens issued for unrelated services by the same identity provider can incorrectly authenticate to OpenFGA, creating a significant security risk. The problem has been addressed in version 1.18.0, which now enforces proper audience validation.
Affected Version(s)
openfga < 1.18.0
