GHSA-cf98-j28v-49v6

Suggest an improvement

Source

https://github.com/advisories/GHSA-cf98-j28v-49v6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-cf98-j28v-49v6/GHSA-cf98-j28v-49v6.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-cf98-j28v-49v6

Aliases

CVE-2026-55170

Downstream

MINI-44jv-4qx5-jxq7

MINI-9cjh-2w48-2rmj

MINI-f253-hx56-phv7

MINI-f6qx-fx4x-p57j

MINI-fm55-4q8c-72v8

MINI-p4ch-vcr2-5346

MINI-pjjp-pmvr-6xx9

MINI-qm95-378v-2fpp

Related

CGA-4j53-5rhg-65p5

Published

2026-06-18T15:05:30Z

Modified

2026-06-20T11:59:21.452325217Z

Severity

2.1 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N CVSS Calculator

Summary

OpenFGA Improper Policy Enforcement

Details

Description

In OpenFGA, when MySQL is being used as the datastore, two distinct check requests can return the same response.

Preconditions

This applies if the following preconditions are met:

You run OpenFGA with MySQL as the datastore
Your authorization decisions rely on case-sensitive user strings.

Fix

Upgrade to OpenFGA 1.18.0 or greater.

Acknowledgements

OpenFGA would like to thank @sahajamoth for the detailed report.

Database specific

{
    "nvd_published_at": null,
    "github_reviewed_at": "2026-06-18T15:05:30Z",
    "github_reviewed": true,
    "severity": "LOW",
    "cwe_ids": [
        "CWE-178"
    ]
}

References

Affected packages

Go / github.com/openfga/openfga

Package

Name: github.com/openfga/openfga; View open source insights on deps.dev
Purl: pkg:golang/github.com/openfga/openfga

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.18.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-cf98-j28v-49v6/GHSA-cf98-j28v-49v6.json"