PatchSiren cyber security CVE debrief
CVE-2026-55689 openfga CVE debrief
CVE-2026-55689 is a MEDIUM severity vulnerability in OpenFGA's OIDC authenticator. Prior to version 1.18.0, the OIDC authenticator skipped JWT audience validation when certain conditions were met, potentially allowing unauthorized access. This issue is fixed in version 1.18.0. Users of OpenFGA prior to version 1.18.0 who utilize OIDC authentication should verify their configurations and update to the latest version to mitigate potential unauthorized access. The vulnerability allows a token intended for a different service by the same identity provider to be used for authentication.
- Vendor
- openfga
- Product
- Unknown
- CVSS
- MEDIUM 6.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-09
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-09
- Advisory updated
- 2026-07-10
Who should care
Users of OpenFGA prior to version 1.18.0 who utilize OIDC authentication should verify their configurations and update to the latest version to mitigate potential unauthorized access. This includes OpenFGA operators, platform administrators, vulnerability management teams, and security teams who need to assess the impact of the vulnerability and take necessary actions.
Technical summary
OpenFGA's OIDC authenticator had a vulnerability where JWT audience validation was skipped under specific configuration conditions. This could allow a token intended for a different service by the same identity provider to be used for authentication. The issue was addressed in OpenFGA version 1.18.0 by implementing proper audience validation. The vulnerability affects OpenFGA versions prior to 1.18.0 and is related to OIDC authentication configurations.
Defensive priority
Medium priority for users of OpenFGA with OIDC authentication; immediate review and update recommended.
Recommended defensive actions
- Review OpenFGA configurations for OIDC authentication and ensure proper audience validation.
- Update OpenFGA to version 1.18.0 or later.
- Verify identity provider configurations for proper JWT audience settings.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
Evidence notes
The CVE record and NVD details were used to assess the vulnerability. Limited additional information was available, so further verification is recommended. OpenFGA's OIDC authenticator vulnerability allows unauthorized access under specific configurations. Users should verify their configurations and update to the latest version. The CVE record was published on 2026-07-09T22:17:06.553Z and has not been modified since then. No additional details are provided in the source corpus.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-09T22:17:06.553Z and has not been modified since then.