๐Ÿ” CVE Alert

CVE-2026-55170

UNKNOWN 0.0

OpenFGA MySQL backend: case-insensitive collation on identifier columns causes incorrect authorization decisions

CVSS Score
0.0
EPSS Score
0.3%
EPSS Percentile
26th

OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, when MySQL is being used as the datastore and authorization decisions rely on case-sensitive user strings, the tuple, changelog, and authorization_model identifier columns can compare case-distinct values such as user:Alice and user:alice as equivalent, causing two distinct check requests to return the same response. This issue is fixed in 1.18.0.

CWE CWE-178
Vendor openfga
Product openfga
Published Jul 9, 2026
Last Updated Jul 10, 2026
Stay Ahead of the Next One

Get instant alerts for openfga openfga

Be the first to know when new unknown vulnerabilities affecting openfga openfga are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

openfga / openfga
< 1.18.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/openfga/openfga/security/advisories/GHSA-cf98-j28v-49v6 github.com: https://github.com/openfga/helm-charts/commit/96d5517a2693ff5def451dee7d6b9d1baeb281f8 github.com: https://github.com/openfga/openfga/commit/a2e0dbefc3e01a95c785f81a3563bc6571b08b11 github.com: https://github.com/openfga/helm-charts/releases/tag/openfga-0.3.9 github.com: https://github.com/openfga/openfga/releases/tag/v1.18.0