CVE-2026-40293

Name of the Vulnerable Software and Affected Versions OpenFGA versions 0.1.4 through 1.13.1

Description When configured to use preshared-key authentication with the built-in playground enabled, the local server includes the preshared API key in the HTML response of the '/playground' endpoint. This endpoint is enabled by default and does not require authentication, as it is intended for local development and debugging rather than production environments. The issue affects instances running with the --authn-method set to preshared, where the playground is enabled and accessible beyond localhost or trusted networks.

Recommendations Upgrade to OpenFGA version 1.14.0. Disable the playground by running ./openfga run --playground-enabled=false.