Sign In

CVE-2026-55170

ADVISORY - github

Summary

Description

In OpenFGA, when MySQL is being used as the datastore, two distinct check requests can return the same response.

Preconditions

This applies if the following preconditions are met:

  1. You run OpenFGA with MySQL as the datastore
  2. Your authorization decisions rely on case-sensitive user strings.

Fix

Upgrade to OpenFGA 1.18.0 or greater.

Acknowledgements

OpenFGA would like to thank @sahajamoth for the detailed report.

Common Weakness Enumeration (CWE)

ADVISORY - github

CWE-178

Improper Handling of Case Sensitivity

Impacted images

Advisories
Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in