GHSA-hcxc-wf8j-23hv
Suggest an improvement- Source
- https://github.com/advisories/GHSA-hcxc-wf8j-23hv
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-hcxc-wf8j-23hv/GHSA-hcxc-wf8j-23hv.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-hcxc-wf8j-23hv
- Aliases
-
- CVE-2026-55689
- Downstream
- Related
- Published
- 2026-06-19T14:35:35Z
- Modified
- 2026-06-21T01:59:33.745762600Z
- Severity
-
- 6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- OpenFGA: OIDC audience validation skipped when --authn-oidc-audience is unset
- Details
-
Description
OpenFGA's OIDC authenticator skipped JWT audience (
aud) validation when no audience was configured. In deployments where one identity provider issues tokens for multiple services, a token minted for an unrelated service could authenticate to OpenFGA.Preconditions
This applies if the following preconditions are met:
- You run OpenFGA with
authn.methodset tooidc. - You configured
authn.oidc.issuerbut did not setauthn.oidc.audience(--authn-oidc-audience/OPENFGA_AUTHN_OIDC_AUDIENCE).
Fix
Upgrade to OpenFGA 1.18.0 or greater. OpenFGA now refuses to start in
oidcmode unless bothauthn.oidc.issuerandauthn.oidc.audienceare set, and theaudclaim is always validated.Acknowledgements
OpenFGA would like to thank https://github.com/0xVijay for the report.
- You run OpenFGA with
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-06-19T14:35:35Z", "nvd_published_at": null, "severity": "MODERATE", "cwe_ids": [ "CWE-287" ] }- References
Affected packages
Go / github.com/openfga/openfga
Package
- Name
- github.com/openfga/openfga
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/openfga/openfga