PatchSiren cyber security CVE debrief
CVE-2026-40293 openfga CVE debrief
OpenFGA, an authorization/permission engine for developers, has a vulnerability in versions 0.1.4 through 1.13.1. When configured to use preshared-key authentication with the built-in playground enabled, the local server includes the preshared API key in the HTML response of the /playground endpoint. The /playground endpoint is enabled by default but not designed for production environments. Users running OpenFGA with preshared authentication, the playground enabled, and the endpoint accessible beyond localhost or trusted networks are vulnerable. To remediate, upgrade to OpenFGA v1.14.0 or disable the playground by running `./openfga run --playground-enabled=false`.
- Vendor
- openfga
- Product
- Unknown
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-17
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-04-17
- Advisory updated
- 2026-06-30
Who should care
Developers and administrators using OpenFGA versions 0.1.4 through 1.13.1 with preshared-key authentication and the playground enabled should be aware of this vulnerability. Those with the playground endpoint exposed beyond localhost or trusted networks are at risk. Upgrading to v1.14.0 or disabling the playground can mitigate the issue.
Technical summary
The vulnerability in OpenFGA allows unauthorized access to the preshared API key when the playground is enabled and accessible. This issue arises from the server including the preshared API key in the HTML response of the /playground endpoint. The CVSS score for this vulnerability is 6.5, indicating a medium severity level. The vulnerability is characterized by CWE-200 (Information Exposure) and CWE-201 (Information Exposure Through Sent Data).
Defensive priority
Medium priority should be given to upgrading OpenFGA to version 1.14.0 or later. In the meantime, disabling the playground endpoint can serve as a temporary mitigation measure.
Recommended defensive actions
- Upgrade OpenFGA to version 1.14.0 or later.
- Disable the playground endpoint by running `./openfga run --playground-enabled=false`.
- Review and restrict access to the /playground endpoint to trusted networks or localhost.
- Monitor for any unauthorized access or exposure of the preshared API key.
- Consider implementing additional security measures for authentication and authorization.
Evidence notes
The CVE record and NVD detail provide information on the vulnerability's impact and affected versions. Vendor advisories and mitigation strategies are available through OpenFGA's GitHub releases and security advisories.
Official resources
-
CVE-2026-40293 CVE record
CVE.org
-
CVE-2026-40293 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Product, Release Notes
-
Mitigation or vendor reference
[email protected] - Mitigation, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.