PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55689 openfga CVE debrief

CVE-2026-55689 is a MEDIUM severity vulnerability in OpenFGA's OIDC authenticator. Prior to version 1.18.0, the OIDC authenticator skipped JWT audience validation when certain conditions were met, potentially allowing unauthorized access. This issue is fixed in version 1.18.0. Users of OpenFGA prior to version 1.18.0 who utilize OIDC authentication should verify their configurations and update to the latest version to mitigate potential unauthorized access. The vulnerability allows a token intended for a different service by the same identity provider to be used for authentication.

Vendor
openfga
Product
Unknown
CVSS
MEDIUM 6.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-09
Original CVE updated
2026-07-10
Advisory published
2026-07-09
Advisory updated
2026-07-10

Who should care

Users of OpenFGA prior to version 1.18.0 who utilize OIDC authentication should verify their configurations and update to the latest version to mitigate potential unauthorized access. This includes OpenFGA operators, platform administrators, vulnerability management teams, and security teams who need to assess the impact of the vulnerability and take necessary actions.

Technical summary

OpenFGA's OIDC authenticator had a vulnerability where JWT audience validation was skipped under specific configuration conditions. This could allow a token intended for a different service by the same identity provider to be used for authentication. The issue was addressed in OpenFGA version 1.18.0 by implementing proper audience validation. The vulnerability affects OpenFGA versions prior to 1.18.0 and is related to OIDC authentication configurations.

Defensive priority

Medium priority for users of OpenFGA with OIDC authentication; immediate review and update recommended.

Recommended defensive actions

  • Review OpenFGA configurations for OIDC authentication and ensure proper audience validation.
  • Update OpenFGA to version 1.18.0 or later.
  • Verify identity provider configurations for proper JWT audience settings.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.

Evidence notes

The CVE record and NVD details were used to assess the vulnerability. Limited additional information was available, so further verification is recommended. OpenFGA's OIDC authenticator vulnerability allows unauthorized access under specific configurations. Users should verify their configurations and update to the latest version. The CVE record was published on 2026-07-09T22:17:06.553Z and has not been modified since then. No additional details are provided in the source corpus.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-09T22:17:06.553Z and has not been modified since then.