OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, when MySQL is being used as the datastore and authorization decisions rely on case-sensitive user strings, the tuple, changelog, and authorization_model identifier columns can compare case-distinct values such as user:Alice and user:alice as equivalent, causing two distinct check requests to return the same response. This issue is fixed in 1.18.0.

Project Subscriptions

Vendors Products
Openfga Subscribe
Openfga Subscribe
Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cf98-j28v-49v6 OpenFGA Improper Policy Enforcement
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Thu, 09 Jul 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Openfga
Openfga openfga
Vendors & Products Openfga
Openfga openfga

Thu, 09 Jul 2026 21:45:00 +0000

Type Values Removed Values Added
Description OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, when MySQL is being used as the datastore and authorization decisions rely on case-sensitive user strings, the tuple, changelog, and authorization_model identifier columns can compare case-distinct values such as user:Alice and user:alice as equivalent, causing two distinct check requests to return the same response. This issue is fixed in 1.18.0.
Title OpenFGA MySQL backend: case-insensitive collation on identifier columns causes incorrect authorization decisions
Weaknesses CWE-178
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}


Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-09T21:04:28.713Z

Reserved: 2026-06-16T15:13:28.166Z

Link: CVE-2026-55170

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-09T22:30:05Z

Weaknesses