CVE-2026-40293
ADVISORY - githubSummary
Description
When OpenFGA is configured to use preshared-key authentication with the built-in playground enabled, the local server includes the preshared API key in the HTML response of the /playground endpoint. The /playground endpoint is enabled by default and does not require authentication. It is intended for local development and debugging and is not designed to be exposed to production environments.
Am I Affected?
You are affected if you meet each of the following preconditions:
- You are running OpenFGA with --authn-method preshared, and
- The playground is enabled, and
- The playground endpoint is accessible beyond localhost or trusted networks.
Fix
Upgrade to OpenFGA v1.14.0, or disable the playground by running ./openfga run --playground-enabled=false.
Common Weakness Enumeration (CWE)
ADVISORY - github
Exposure of Sensitive Information to an Unauthorized Actor
Docker
CREATED
UPDATED
ADVISORY ID
CVE-2026-40293
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
GitHub
CREATED
UPDATED
ADVISORY IDGHSA-68m9-983m-f3v5
EXPLOITABILITY SCORE
3.9
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CVSS SCORE
6.5mediumChainguard
CREATED
UPDATED
ADVISORY ID
CGA-7m8g-jjfv-xgm3
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-