Description
OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, OpenFGA's OIDC authenticator skipped JWT audience validation when authn.method was set to oidc, authn.oidc.issuer was configured, and authn.oidc.audience was not set, allowing a token minted for an unrelated service by the same identity provider to authenticate to OpenFGA. This issue is fixed in 1.18.0.
No analysis available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-hcxc-wf8j-23hv | OpenFGA: OIDC audience validation skipped when --authn-oidc-audience is unset |
References
History
Thu, 09 Jul 2026 22:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Openfga
Openfga openfga |
|
| Vendors & Products |
Openfga
Openfga openfga |
Thu, 09 Jul 2026 21:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, OpenFGA's OIDC authenticator skipped JWT audience validation when authn.method was set to oidc, authn.oidc.issuer was configured, and authn.oidc.audience was not set, allowing a token minted for an unrelated service by the same identity provider to authenticate to OpenFGA. This issue is fixed in 1.18.0. | |
| Title | OpenFGA: OIDC audience validation skipped when --authn-oidc-audience is unset | |
| Weaknesses | CWE-287 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-09T21:06:22.543Z
Reserved: 2026-06-17T00:13:10.650Z
Link: CVE-2026-55689
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-09T22:30:05Z
Weaknesses
-
CWE-287
Improper Authentication
Github GHSA