PT-2026-50730 · Go · Github.Com/Openfga/Openfga

Published

2026-06-18

·

Updated

2026-06-18

·

CVE-2026-55170

CVSS v4.0

2.1

Low

VectorAV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Description

In OpenFGA, when MySQL is being used as the datastore, two distinct check requests can return the same response.

Preconditions

This applies if the following preconditions are met:
  1. You run OpenFGA with MySQL as the datastore
  2. Your authorization decisions rely on case-sensitive user strings.

Fix

Upgrade to OpenFGA 1.18.0 or greater.

Acknowledgements

OpenFGA would like to thank @sahajamoth for the detailed report.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-178

Related Identifiers

CVE-2026-55170
GHSA-CF98-J28V-49V6

Affected Products

Github.Com/Openfga/Openfga