OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, OpenFGA's OIDC authenticator skipped JWT audience validation when authn.method was set to oidc, authn.oidc.issuer was configured, and authn.oidc.audience was not set, allowing a token minted for an unrelated service by the same identity provider to authenticate to OpenFGA. This issue is fixed in 1.18.0.
History

Fri, 10 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 10 Jul 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Thu, 09 Jul 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Openfga
Openfga openfga
Vendors & Products Openfga
Openfga openfga

Thu, 09 Jul 2026 21:45:00 +0000

Type Values Removed Values Added
Description OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, OpenFGA's OIDC authenticator skipped JWT audience validation when authn.method was set to oidc, authn.oidc.issuer was configured, and authn.oidc.audience was not set, allowing a token minted for an unrelated service by the same identity provider to authenticate to OpenFGA. This issue is fixed in 1.18.0.
Title OpenFGA: OIDC audience validation skipped when --authn-oidc-audience is unset
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-07-09T21:06:22.543Z

Updated: 2026-07-10T13:45:39.194Z

Reserved: 2026-06-17T00:13:10.650Z

Link: CVE-2026-55689

cve-icon Vulnrichment

Updated: 2026-07-10T13:45:36.001Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-07-09T21:06:22Z

Links: CVE-2026-55689 - Bugzilla