CVE-2026-55170 in OpenFGAinfo

Summary

by MITRE • 07/10/2026

OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, when MySQL is being used as the datastore and authorization decisions rely on case-sensitive user strings, the tuple, changelog, and authorization_model identifier columns can compare case-distinct values such as user:Alice and user:alice as equivalent, causing two distinct check requests to return the same response. This issue is fixed in 1.18.0.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/10/2026

The vulnerability described affects OpenFGA version 1.18.0 and earlier when MySQL is used as the underlying datastore for authorization operations. This represents a critical security flaw that undermines the fundamental principle of access control by allowing case-insensitive comparisons where case-sensitive matching was intended. The issue manifests in the core tuple, changelog, and authorization_model identifier columns within the MySQL database schema, where identifiers such as user:Alice and user:alice are treated as equivalent during authorization decision processes.

The technical implementation flaw stems from improper handling of string comparison operations within the MySQL datastore integration. When OpenFGA performs authorization checks using case-sensitive user strings, the underlying database queries fail to maintain the required case sensitivity in their comparisons. This creates a scenario where two distinct user identifiers that differ only in case are evaluated as identical, leading to incorrect authorization decisions. The vulnerability impacts the core authorization engine's ability to distinguish between users with similar names but different capitalization, which can result in unauthorized access to resources.

This flaw has significant operational impact on systems relying on OpenFGA for access control enforcement. When authorization decisions depend on case-sensitive user identifiers, attackers could exploit this weakness by submitting requests using alternative case variations of legitimate user names to gain unauthorized access. The vulnerability essentially allows privilege escalation through case manipulation attacks where the system fails to properly differentiate between user identities. This undermines the principle of least privilege and can lead to data breaches or unauthorized resource access across applications using OpenFGA with MySQL as their datastore.

The fix implemented in version 1.18.0 addresses this issue by ensuring proper case-sensitive string comparison operations within the MySQL integration layer. Organizations should immediately upgrade to version 1.18.0 or later to remediate this vulnerability, as it represents a fundamental failure in access control enforcement that could be exploited by malicious actors. The resolution involves updating the database query mechanisms to maintain proper case sensitivity during authorization checks, ensuring that user:Alice and user:alice are treated as distinct identities. This vulnerability aligns with CWE-284 Access Control Issues and can be categorized under ATT&CK technique T1078 Valid Accounts, as it enables unauthorized access through manipulation of account identifiers. Organizations should conduct thorough security assessments to identify any systems using vulnerable versions of OpenFGA and implement proper patch management protocols to prevent exploitation of this authorization bypass vulnerability.

Responsible

GitHub M

Reservation

06/16/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!