PatchSiren cyber security CVE debrief
CVE-2026-55170 openfga CVE debrief
CVE-2026-55170 is an authorization bypass vulnerability in OpenFGA, a developer-focused authorization/permission engine. When MySQL is used as the datastore and authorization decisions rely on case-sensitive user strings, the tuple, changelog, and authorization_model identifier columns may treat case-distinct values as equivalent. This could lead to two distinct check requests returning the same response. The issue is addressed in OpenFGA version 1.18.0. Developers and administrators using OpenFGA with MySQL should verify their configurations and update to mitigate this vulnerability.
- Vendor
- openfga
- Product
- Unknown
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-09
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-09
- Advisory updated
- 2026-07-10
Who should care
Developers and administrators using OpenFGA with MySQL as the datastore should verify their configurations and update to version 1.18.0 or later to mitigate this vulnerability. This includes reviewing authorization decisions for case-sensitive user strings and ensuring proper handling to prevent incorrect authorization. Security teams and vulnerability management teams should also be aware of the potential impact and review their systems for exposure.
Technical summary
In OpenFGA versions prior to 1.18.0, when MySQL is used as the datastore and authorization decisions are based on case-sensitive user strings, the system incorrectly treats case-distinct user identifiers as equivalent. Specifically, the tuple, changelog, and authorization_model identifier columns compare values such as 'user:Alice' and 'user:alice' as the same, potentially leading to incorrect authorization decisions. This vulnerability is fixed in OpenFGA version 1.18.0. The issue arises from the comparison of case-sensitive strings in the context of MySQL datastore.
Defensive priority
Low
Recommended defensive actions
- Update OpenFGA to version 1.18.0 or later
- Verify MySQL datastore configurations for case-sensitive user string handling
- Monitor authorization decisions for unexpected behavior
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record was published on 2026-07-09T22:17:05.937Z and was last modified on 2026-07-10T15:16:41.493Z. The NVD entry is currently in the 'Received' status. The OpenFGA project provides an authorization/permission engine for developers. This CVE is related to a vulnerability in OpenFGA when using MySQL as the datastore. The vulnerability is addressed in OpenFGA version 1.18.0. Evidence of exploitation is not currently available. Defenders should verify their configurations and update to version 1.18.0 or later to mitigate this vulnerability.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-09T22:17:05.937Z and has not been modified since then. The NVD entry is currently Received.