CVE-2026-40293
ADVISORY - githubSummary
Description
When OpenFGA is configured to use preshared-key authentication with the built-in playground enabled, the local server includes the preshared API key in the HTML response of the /playground endpoint. The /playground endpoint is enabled by default and does not require authentication. It is intended for local development and debugging and is not designed to be exposed to production environments.
Am I Affected?
You are affected if you meet each of the following preconditions:
- You are running OpenFGA with --authn-method preshared, and
- The playground is enabled, and
- The playground endpoint is accessible beyond localhost or trusted networks.
Fix
Upgrade to OpenFGA v1.14.0, or disable the playground by running ./openfga run --playground-enabled=false.
Common Weakness Enumeration (CWE)
Exposure of Sensitive Information to an Unauthorized Actor
Exposure of Sensitive Information to an Unauthorized Actor
Docker
CVE-2026-40293
-
NIST
3.9
CVSS SCORE
6.5mediumGitHub
3.9
CVSS SCORE
6.5mediumChainguard
CGA-7m8g-jjfv-xgm3
-
minimos
MINI-29f3-pwmh-57q9
-
minimos
MINI-4842-93m8-pm74
-
minimos
MINI-4924-7hc6-26wv
-
minimos
MINI-8j9v-3m2x-7qm7
-
minimos
MINI-8m4q-6qjp-hqj6
-
minimos
MINI-8v66-mgm3-fr7w
-
minimos
MINI-f437-qhfm-r7vf
-
minimos
MINI-w8pr-vx5q-hxm3
-
minimos
MINI-xxqf-c23m-3c97
-