GHSA-68m9-983m-f3v5

ADVISORY - github

Summary

Description

When OpenFGA is configured to use preshared-key authentication with the built-in playground enabled, the local server includes the preshared API key in the HTML response of the /playground endpoint. The /playground endpoint is enabled by default and does not require authentication. It is intended for local development and debugging and is not designed to be exposed to production environments.

Am I Affected?

You are affected if you meet each of the following preconditions:

You are running OpenFGA with --authn-method preshared, and
The playground is enabled, and
The playground endpoint is accessible beyond localhost or trusted networks.

Fix

Upgrade to OpenFGA v1.14.0, or disable the playground by running ./openfga run --playground-enabled=false.

Common Weakness Enumeration (CWE)

ADVISORY - github

CWE-200⁠

Exposure of Sensitive Information to an Unauthorized Actor

Impacted images

Advisories

Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.