Vulnerability Details CVE-2026-55689
OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, OpenFGA's OIDC authenticator skipped JWT audience validation when authn.method was set to oidc, authn.oidc.issuer was configured, and authn.oidc.audience was not set, allowing a token minted for an unrelated service by the same identity provider to authenticate to OpenFGA. This issue is fixed in 1.18.0.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 21.6%
CVSS Severity
CVSS v3 Score 6.8