PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-40293 openfga CVE debrief

OpenFGA, an authorization/permission engine for developers, has a vulnerability in versions 0.1.4 through 1.13.1. When configured to use preshared-key authentication with the built-in playground enabled, the local server includes the preshared API key in the HTML response of the /playground endpoint. The /playground endpoint is enabled by default but not designed for production environments. Users running OpenFGA with preshared authentication, the playground enabled, and the endpoint accessible beyond localhost or trusted networks are vulnerable. To remediate, upgrade to OpenFGA v1.14.0 or disable the playground by running `./openfga run --playground-enabled=false`.

Vendor
openfga
Product
Unknown
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-17
Original CVE updated
2026-06-30
Advisory published
2026-04-17
Advisory updated
2026-06-30

Who should care

Developers and administrators using OpenFGA versions 0.1.4 through 1.13.1 with preshared-key authentication and the playground enabled should be aware of this vulnerability. Those with the playground endpoint exposed beyond localhost or trusted networks are at risk. Upgrading to v1.14.0 or disabling the playground can mitigate the issue.

Technical summary

The vulnerability in OpenFGA allows unauthorized access to the preshared API key when the playground is enabled and accessible. This issue arises from the server including the preshared API key in the HTML response of the /playground endpoint. The CVSS score for this vulnerability is 6.5, indicating a medium severity level. The vulnerability is characterized by CWE-200 (Information Exposure) and CWE-201 (Information Exposure Through Sent Data).

Defensive priority

Medium priority should be given to upgrading OpenFGA to version 1.14.0 or later. In the meantime, disabling the playground endpoint can serve as a temporary mitigation measure.

Recommended defensive actions

  • Upgrade OpenFGA to version 1.14.0 or later.
  • Disable the playground endpoint by running `./openfga run --playground-enabled=false`.
  • Review and restrict access to the /playground endpoint to trusted networks or localhost.
  • Monitor for any unauthorized access or exposure of the preshared API key.
  • Consider implementing additional security measures for authentication and authorization.

Evidence notes

The CVE record and NVD detail provide information on the vulnerability's impact and affected versions. Vendor advisories and mitigation strategies are available through OpenFGA's GitHub releases and security advisories.

Official resources

This article is AI-assisted and based on the supplied source corpus.