GHSA-68M9-983M-F3V5: Credential Exposure in OpenFGA Playground Endpoint
Vulnerability ID: GHSA-68M9-983M-F3V5
CVSS Score: 7.5
Published: 2026-04-08
OpenFGA versions 1.13.1 and prior are vulnerable to sensitive information disclosure when configured with preshared-key authentication and the built-in playground enabled. The server inadvertently embeds the preshared API key into the HTML response of the /playground endpoint, allowing unauthenticated attackers to extract the credential and gain administrative access to the OpenFGA API.
TL;DR
OpenFGA leaks the preshared authentication key in the /playground HTML response. Unauthenticated attackers can extract this key to gain full API access. Administrators must upgrade to v1.14.0 or disable the playground.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-200
- Attack Vector: Network
- Authentication: None Required
- CVSS Score: 7.5
- Impact: Credential Exposure / API Compromise
- Exploit Status: Proof of Concept
- KEV Status: Not Listed
Affected Systems
- OpenFGA Server
-
OpenFGA: <= 1.13.1 (Fixed in:
1.14.0)
Mitigation Strategies
- Upgrade OpenFGA to version v1.14.0 or later.
- Disable the playground in production environments.
- Rotate any previously configured preshared keys.
Remediation Steps:
- Verify the current OpenFGA version running in the environment.
- Update the deployment artifacts (Docker images, Helm charts, binaries) to use OpenFGA v1.14.0.
- If upgrading is impossible, set
playground.enabled: falsein the configuration file or pass the--playground-enabled=falseflag at startup. - Generate a new preshared key and update the OpenFGA configuration.
- Update all client applications relying on the preshared key to use the newly generated credential.
References
- GitHub Advisory: GHSA-68M9-983M-F3V5
- OpenFGA Repository Security Advisory
- OpenFGA Release Notes v1.14.0
- OpenFGA Configuration Documentation
Read the full report for GHSA-68M9-983M-F3V5 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)