Description
OpenFGA is an authorization/permission engine built for developers. In versions 0.1.4 through 1.13.1, when OpenFGA is configured to use preshared-key authentication with the built-in playground enabled, the local server includes the preshared API key in the HTML response of the /playground endpoint. The /playground endpoint is enabled by default and does not require authentication. It is intended for local development and debugging and is not designed to be exposed to production environments. Only those who run OpenFGA with `--authn-method` preshared, with the playground enabled, and with the playground endpoint accessible beyond localhost or trusted networks are vulnerable. To remediate the issue, users should upgrade to OpenFGA v1.14.0, or disable the playground by running `./openfga run --playground-enabled=false.`
Published: 2026-04-17
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Exposes preshared API key in playground response
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in OpenFGA occurs when the playground feature is enabled and the server is configured to use preshared‑key authentication. In this configuration, requests to the /playground endpoint return the API key as part of the HTML payload. This disclosure of a secret credential can lead to credential compromise, allowing an attacker who can reach the host to authenticate to the service with elevated privileges. The weakness is an information‑disclosure flaw, categorized as CWE‑200, and an authentication bypass flaw, categorized as CWE‑201.

Affected Systems

Products affected are OpenFGA, version range 0.1.4 through 1.13.1. The issue exists only when the server is started with the --authn-method preshared flag and the playground is enabled (the default). Systems that restrict the /playground endpoint to localhost or otherwise protected networks are not vulnerable. All other OpenFGA versions are unaffected.

Risk and Exploitability

The issue has a CVSS score of 6.5, indicating moderate severity. The EPSS score of 0.00056 indicates a very low probability of exploitation and the vulnerability is not listed in CISA's KEV catalog. The likely attack vector is a network attacker who can reach the OpenFGA host and send an HTTP request to /playground. Because the endpoint requires no authentication, the attacker can obtain the preshared key directly. Once the key is known, it can be used to authenticate to the server, potentially giving the attacker full control over the authorization engine. The condition of the playground being accessible beyond localhost or from untrusted networks is a prerequisite, so securing the endpoint or disabling the playground mitigates the risk.

Generated by OpenCVE AI on April 22, 2026 at 06:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenFGA to version 1.14.0 or later to eliminate the key exposure.
  • If an upgrade is not yet possible, disable the playground feature by running ./openfga run --playground-enabled=false.
  • In production deployments, avoid using preshared‑key authentication and ensure the playground is either disabled or restricted to trusted local networks.

Generated by OpenCVE AI on April 22, 2026 at 06:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-68m9-983m-f3v5 OpenFGA: Unauthenticated playground endpoint discloses preshared API key in HTML response
History

Mon, 27 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openfga:openfga:*:*:*:*:*:*:*:*

Wed, 22 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-201
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 20 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Openfga
Openfga openfga
Vendors & Products Openfga
Openfga openfga

Fri, 17 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Description OpenFGA is an authorization/permission engine built for developers. In versions 0.1.4 through 1.13.1, when OpenFGA is configured to use preshared-key authentication with the built-in playground enabled, the local server includes the preshared API key in the HTML response of the /playground endpoint. The /playground endpoint is enabled by default and does not require authentication. It is intended for local development and debugging and is not designed to be exposed to production environments. Only those who run OpenFGA with `--authn-method` preshared, with the playground enabled, and with the playground endpoint accessible beyond localhost or trusted networks are vulnerable. To remediate the issue, users should upgrade to OpenFGA v1.14.0, or disable the playground by running `./openfga run --playground-enabled=false.`
Title OpenFGA Playground Preshared Key Exposure
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Openfga Openfga
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-20T16:19:40.914Z

Reserved: 2026-04-10T20:22:44.035Z

Link: CVE-2026-40293

cve-icon Vulnrichment

Updated: 2026-04-20T16:19:37.062Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-17T21:16:34.567

Modified: 2026-04-27T19:39:47.497

Link: CVE-2026-40293

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-17T20:47:06Z

Links: CVE-2026-40293 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T06:15:10Z

Weaknesses