Compliance Impact

This vulnerability involves the exposure of a preshared API key in the HTML response of the /playground endpoint when OpenFGA is configured with preshared-key authentication and the playground is enabled. Since the /playground endpoint is enabled by default and does not require authentication, if it is accessible beyond localhost or trusted networks, unauthorized parties could obtain the API key.

Exposure of sensitive authentication credentials like API keys can lead to unauthorized access to protected resources or data. Such unauthorized access could potentially result in violations of data protection regulations such as GDPR or HIPAA, which require strict controls over access to personal or sensitive data.

Therefore, this vulnerability could negatively impact compliance with standards and regulations that mandate secure handling of authentication credentials and protection of sensitive data.

Useful 0 Not Useful 0

Executive Summary

This vulnerability affects OpenFGA versions 0.1.4 through 1.13.1 when configured to use preshared-key authentication with the built-in playground enabled.

In this configuration, the local server includes the preshared API key in the HTML response of the /playground endpoint.

The /playground endpoint is enabled by default, does not require authentication, and is intended only for local development and debugging.

If the playground endpoint is accessible beyond localhost or trusted networks, unauthorized users can obtain the preshared API key, leading to potential unauthorized access.

To fix this issue, users should upgrade to OpenFGA version 1.14.0 or disable the playground by running the command './openfga run --playground-enabled=false'.

Useful 0 Not Useful 0

Impact Analysis

If exploited, this vulnerability can expose the preshared API key to unauthorized users.

With access to the API key, attackers could potentially gain unauthorized access to the OpenFGA authorization engine.

This could lead to unauthorized permission changes or access to protected resources.

The vulnerability has a CVSS v3.1 base score of 6.5, indicating a medium severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the OpenFGA server is running with preshared-key authentication and if the /playground endpoint is accessible beyond localhost or trusted networks. Since the /playground endpoint is enabled by default and does not require authentication, you can attempt to access it remotely and inspect the HTML response for the presence of the preshared API key.

A simple way to detect this on your network is to use a command-line tool like curl to request the /playground endpoint from a remote machine:

• curl http://<openfga-server-address>:<port>/playground

If the response HTML contains the preshared API key, then the system is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, you should either upgrade OpenFGA to version 1.14.0 or later, where the issue is fixed, or disable the playground endpoint.

To disable the playground, run the OpenFGA server with the following command line option:

• ./openfga run --playground-enabled=false

Additionally, ensure that the playground endpoint is not accessible beyond localhost or trusted networks to reduce exposure.

Useful 0 Not Useful 0