CVE-2026-55689 in OpenFGAinfo

Summary

by MITRE • 07/10/2026

OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, OpenFGA's OIDC authenticator skipped JWT audience validation when authn.method was set to oidc, authn.oidc.issuer was configured, and authn.oidc.audience was not set, allowing a token minted for an unrelated service by the same identity provider to authenticate to OpenFGA. This issue is fixed in 1.18.0.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/10/2026

OpenFGA represents a critical authorization engine that serves developers in implementing access control systems, making it a prime target for attackers seeking to escalate privileges within applications that rely on its permission model. The vulnerability under discussion stems from an improper implementation of OpenID Connect authentication logic where the system fails to validate JWT audiences when specific configuration parameters are met. This flaw exists in versions prior to 1.18.0 and creates a significant security gap in the authentication process.

The technical flaw manifests when the system's OIDC authenticator operates under specific conditions: authn.method must be set to oidc, authn.oidc.issuer must be configured, and authn.oidc.audience must remain unset. Under these circumstances, the authenticator bypasses validation of the JWT audience claim, which is a fundamental security mechanism designed to ensure tokens are issued for the specific service requesting authentication. This configuration creates an implicit trust relationship that allows any token issued by the same identity provider to be accepted regardless of its intended audience.

The operational impact of this vulnerability extends beyond simple authentication bypass, as it essentially eliminates the audience validation check that serves as a crucial security control in distributed systems. An attacker who gains access to a valid JWT token minted for a different service but issued by the same identity provider can leverage this weakness to authenticate to OpenFGA systems without proper authorization. This scenario creates potential for privilege escalation, unauthorized data access, and lateral movement within environments that depend on OpenFGA for access control decisions.

The vulnerability aligns with CWE-290 authentication bypass weakness and represents a failure in implementing proper token validation procedures as outlined in OAuth 2.0 and OpenID Connect specifications. From an attack perspective, this issue maps to the privilege escalation and initial access phases of the MITRE ATT&CK framework, where attackers exploit weak authentication mechanisms to gain unauthorized access to systems. The fix implemented in version 1.18.0 addresses this by enforcing proper audience validation regardless of configuration state, ensuring that JWT tokens are validated against the expected audience value.

Organizations relying on OpenFGA should immediately implement the upgrade to version 1.18.0 or later to remediate this vulnerability. Additionally, security teams should conduct thorough assessments of their current OpenFGA configurations to ensure that the authn.oidc.audience parameter is properly set and validated across all environments. The mitigation strategy should also include monitoring for unauthorized access attempts and implementing proper logging of authentication events to detect potential exploitation attempts. This vulnerability underscores the critical importance of maintaining strict token validation procedures in distributed authorization systems where improper implementation can lead to significant security compromise.

Responsible

GitHub M

Reservation

06/17/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!