GHSA-hcxc-wf8j-23hvMediumCVSS 6.8

OpenFGA: OIDC audience validation skipped when --authn-oidc-audience is unset

Published
June 19, 2026
Last Modified
June 19, 2026

🔗 CVE IDs covered (1)

📋 Description

Description

OpenFGA's OIDC authenticator skipped JWT audience (aud) validation when no audience was configured. In deployments where one identity provider issues tokens for multiple services, a token minted for an unrelated service could authenticate to OpenFGA.

Preconditions

This applies if the following preconditions are met:

  1. You run OpenFGA with authn.method set to oidc.
  2. You configured authn.oidc.issuer but did not set authn.oidc.audience (--authn-oidc-audience / OPENFGA_AUTHN_OIDC_AUDIENCE).

Fix

Upgrade to OpenFGA 1.18.0 or greater. OpenFGA now refuses to start in oidc mode unless both authn.oidc.issuer and authn.oidc.audience are set, and the aud claim is always validated.

Acknowledgements

OpenFGA would like to thank https://github.com/0xVijay for the report.

🎯 Affected products1

  • go/github.com/openfga/openfga:<= 1.17.1

🔗 References (2)