CVE-2026-55689
Severity CVSS v4.0:
Pending analysis
Type:
CWE-287
Authentication Issues
Publication date:
09/07/2026
Last modified:
09/07/2026
Description
OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, OpenFGA's OIDC authenticator skipped JWT audience validation when authn.method was set to oidc, authn.oidc.issuer was configured, and authn.oidc.audience was not set, allowing a token minted for an unrelated service by the same identity provider to authenticate to OpenFGA. This issue is fixed in 1.18.0.
Impact
Base Score 3.x
6.80
Severity 3.x
MEDIUM
References to Advisories, Solutions, and Tools
- https://github.com/openfga/helm-ch
- https://github.com/openfga/helm-charts/releases/tag/openfga-0.3.9
- https://github.com/openfga/openfga/commit/44596773b2e62738720ef215bf7fa04352954271
- https://github.com/openfga/openfga/releases/tag/v1.18.0
- https://github.com/openfga/openfga/security/advisories/GHSA-hcxc-wf8j-23hv



