CVE-2026-55689

Name of the Vulnerable Software and Affected Versions OpenFGA versions prior to 1.18.0

Description The OIDC authenticator fails to validate the JWT audience (aud) claim when no audience is configured. In environments where a single identity provider issues tokens for multiple services, a token intended for a different service could be used to authenticate to OpenFGA. This occurs when authn.method is set to oidc and authn.oidc.issuer is configured without setting the authn.oidc.audience variable.

Recommendations Upgrade to version 1.18.0 or greater. Ensure both authn.oidc.issuer and authn.oidc.audience are configured to enable proper validation.