CVE-2026-55170
Undergoing Analysis Undergoing Analysis - In Progress

Authorization Decision Bypass in OpenFGA MySQL Datastore

Vulnerability report for CVE-2026-55170, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, when MySQL is being used as the datastore and authorization decisions rely on case-sensitive user strings, the tuple, changelog, and authorization_model identifier columns can compare case-distinct values such as user:Alice and user:alice as equivalent, causing two distinct check requests to return the same response. This issue is fixed in 1.18.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
openfga openfga to 1.18.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-178 The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in OpenFGA versions prior to 1.18.0 when using MySQL as the datastore. It occurs because the system treats case-distinct user strings, such as 'user:Alice' and 'user:alice', as equivalent in certain database columns (tuple, changelog, and authorization_model identifier). As a result, two different authorization check requests that differ only in case can return the same response, potentially causing incorrect authorization decisions.

Compliance Impact

The vulnerability in OpenFGA prior to version 1.18.0 causes case-distinct user strings to be treated as equivalent in authorization decisions when using MySQL as the datastore. This can lead to incorrect authorization responses, potentially allowing unauthorized access or denial of access.

Such incorrect authorization behavior could impact compliance with standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data. If authorization decisions are flawed, it may result in unauthorized data access or failure to properly restrict access, thereby violating these compliance requirements.

However, the CVE description does not explicitly mention compliance impacts or specific regulatory consequences.

Impact Analysis

The impact of this vulnerability is that authorization decisions may be incorrect due to case-insensitive comparisons of user identifiers. This means that a user might gain access to resources or permissions intended for a different user with a similar but case-distinct identifier, potentially leading to unauthorized access or privilege escalation.

Mitigation Strategies

To mitigate this vulnerability, upgrade OpenFGA to version 1.18.0 or later, where the issue has been fixed.

Detection Guidance

This vulnerability arises from case-insensitive comparisons of user identifiers in the MySQL backend of OpenFGA prior to version 1.18.0. To detect if your system is affected, you should verify the OpenFGA version and check if the schema migration 008 has been applied.

First, confirm the OpenFGA version running on your system. If it is earlier than 1.18.0, your system is potentially vulnerable.

Next, check the collation of the identifier columns in the MySQL database tables `tuple`, `changelog`, and `authorization_model`. If these columns do not use the `utf8mb4_bin` collation, the vulnerability is present.

Suggested MySQL commands to check the collation of these columns:

  • SHOW FULL COLUMNS FROM tuple;
  • SHOW FULL COLUMNS FROM changelog;
  • SHOW FULL COLUMNS FROM authorization_model;

Look specifically at the collation for the identifier columns in the output. If the collation is not `utf8mb4_bin`, the database is using case-insensitive comparison and is vulnerable.

Additionally, you can test authorization decisions involving user identifiers that differ only in case (e.g., `user:Alice` vs `user:alice`). If the system treats them as equivalent, the vulnerability is present.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55170. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart