Description
OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, when MySQL is being used as the datastore and authorization decisions rely on case-sensitive user strings, the tuple, changelog, and authorization_model identifier columns can compare case-distinct values such as user:Alice and user:alice as equivalent, causing two distinct check requests to return the same response. This issue is fixed in 1.18.0.
No analysis available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-cf98-j28v-49v6 | OpenFGA Improper Policy Enforcement |
References
History
Thu, 09 Jul 2026 22:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Openfga
Openfga openfga |
|
| Vendors & Products |
Openfga
Openfga openfga |
Thu, 09 Jul 2026 21:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, when MySQL is being used as the datastore and authorization decisions rely on case-sensitive user strings, the tuple, changelog, and authorization_model identifier columns can compare case-distinct values such as user:Alice and user:alice as equivalent, causing two distinct check requests to return the same response. This issue is fixed in 1.18.0. | |
| Title | OpenFGA MySQL backend: case-insensitive collation on identifier columns causes incorrect authorization decisions | |
| Weaknesses | CWE-178 | |
| References |
|
|
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-09T21:04:28.713Z
Reserved: 2026-06-16T15:13:28.166Z
Link: CVE-2026-55170
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-09T22:30:05Z
Weaknesses
-
CWE-178
Improper Handling of Case Sensitivity
Github GHSA