PT-2026-50730 · Go · Github.Com/Openfga/Openfga

Publicado

2026-06-18

·

Atualizado

2026-06-18

·

CVE-2026-55170

CVSS v4.0

2.1

Baixa

VetorAV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Description

In OpenFGA, when MySQL is being used as the datastore, two distinct check requests can return the same response.

Preconditions

This applies if the following preconditions are met:
  1. You run OpenFGA with MySQL as the datastore
  2. Your authorization decisions rely on case-sensitive user strings.

Fix

Upgrade to OpenFGA 1.18.0 or greater.

Acknowledgements

OpenFGA would like to thank @sahajamoth for the detailed report.

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-178

Identificadores relacionados

CVE-2026-55170
GHSA-CF98-J28V-49V6

Produtos afetados

Github.Com/Openfga/Openfga