๐Ÿ” CVE Alert

CVE-2026-55689

MEDIUM 6.8

OpenFGA: OIDC audience validation skipped when --authn-oidc-audience is unset

CVSS Score
6.8
EPSS Score
0.3%
EPSS Percentile
22th

OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, OpenFGA's OIDC authenticator skipped JWT audience validation when authn.method was set to oidc, authn.oidc.issuer was configured, and authn.oidc.audience was not set, allowing a token minted for an unrelated service by the same identity provider to authenticate to OpenFGA. This issue is fixed in 1.18.0.

CWE CWE-287
Vendor openfga
Product openfga
Published Jul 9, 2026
Last Updated Jul 10, 2026
Stay Ahead of the Next One

Get instant alerts for openfga openfga

Be the first to know when new medium vulnerabilities affecting openfga openfga are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Affected Versions

openfga / openfga
< 1.18.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/openfga/openfga/security/advisories/GHSA-hcxc-wf8j-23hv github.com: https://github.com/openfga/openfga/commit/44596773b2e62738720ef215bf7fa04352954271 github.com: https://github.com/openfga/helm-ch github.com: https://github.com/openfga/helm-charts/releases/tag/openfga-0.3.9 github.com: https://github.com/openfga/openfga/releases/tag/v1.18.0