## Description OpenFGA's OIDC authenticator skipped JWT audience (`aud`) validation when no audience was configured. In deployments where one identity provider issues tokens for multiple services, a token minted for an unrelated service could authenticate to OpenFGA. ## Preconditions This applies if the following preconditions are met: 1. You run OpenFGA with `authn.method` set to `oidc`. 2. You configured `authn.oidc.issuer` but did **not** set `authn.oidc.audience` (`--authn-oidc-audience` / `OPENFGA_AUTHN_OIDC_AUDIENCE`). ## Fix Upgrade to OpenFGA 1.18.0 or greater. OpenFGA now refuses to start in `oidc` mode unless both `authn.oidc.issuer` and `authn.oidc.audience` are set, and the `aud` claim is always validated. ## Acknowledgements OpenFGA would like to thank https://github.com/0xVijay for the report.
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Get alerted for CVEs like this
Register your stack and get notified within minutes when a matching CVE drops.
Start monitoring free