{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40293", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-10T20:22:44.035Z", "datePublished": "2026-04-17T20:47:06.804Z", "dateUpdated": "2026-04-20T16:19:40.914Z"}, "containers": {"cna": {"title": "OpenFGA Playground Preshared Key Exposure", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/openfga/openfga/security/advisories/GHSA-68m9-983m-f3v5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openfga/openfga/security/advisories/GHSA-68m9-983m-f3v5"}, {"name": "https://github.com/openfga/openfga/releases/tag/v1.14.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/openfga/openfga/releases/tag/v1.14.0"}], "affected": [{"vendor": "openfga", "product": "openfga", "versions": [{"version": ">= 0.1.4, < 1.14.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T20:47:06.804Z"}, "descriptions": [{"lang": "en", "value": "OpenFGA is an authorization/permission engine built for developers. In versions 0.1.4 through 1.13.1, when OpenFGA is configured to use preshared-key authentication with the built-in playground enabled, the local server includes the preshared API key in the HTML response of the /playground endpoint. The /playground endpoint is enabled by default and does not require authentication. It is intended for local development and debugging and is not designed to be exposed to production environments. Only those who run OpenFGA with `--authn-method` preshared, with the playground enabled, and with the playground endpoint accessible beyond localhost or trusted networks are vulnerable. To remediate the issue, users should upgrade to OpenFGA v1.14.0, or disable the playground by running `./openfga run --playground-enabled=false.`"}], "source": {"advisory": "GHSA-68m9-983m-f3v5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T16:19:32.851531Z", "id": "CVE-2026-40293", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T16:19:40.914Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40293", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T16:19:32.851531Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T16:19:37.062Z"}}], "cna": {"title": "OpenFGA Playground Preshared Key Exposure", "source": {"advisory": "GHSA-68m9-983m-f3v5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "openfga", "product": "openfga", "versions": [{"status": "affected", "version": ">= 0.1.4, < 1.14.0"}]}], "references": [{"url": "https://github.com/openfga/openfga/security/advisories/GHSA-68m9-983m-f3v5", "name": "https://github.com/openfga/openfga/security/advisories/GHSA-68m9-983m-f3v5", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/openfga/openfga/releases/tag/v1.14.0", "name": "https://github.com/openfga/openfga/releases/tag/v1.14.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenFGA is an authorization/permission engine built for developers. In versions 0.1.4 through 1.13.1, when OpenFGA is configured to use preshared-key authentication with the built-in playground enabled, the local server includes the preshared API key in the HTML response of the /playground endpoint. The /playground endpoint is enabled by default and does not require authentication. It is intended for local development and debugging and is not designed to be exposed to production environments. Only those who run OpenFGA with `--authn-method` preshared, with the playground enabled, and with the playground endpoint accessible beyond localhost or trusted networks are vulnerable. To remediate the issue, users should upgrade to OpenFGA v1.14.0, or disable the playground by running `./openfga run --playground-enabled=false.`"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T20:47:06.804Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40293", "state": "PUBLISHED", "dateUpdated": "2026-04-20T16:19:40.914Z", "dateReserved": "2026-04-10T20:22:44.035Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-17T20:47:06.804Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OpenFGA is an authorization/permission engine built for developers. In versions 0.1.4 through 1.13.1, when OpenFGA is configured to use preshared-key authentication with the built-in playground enabled, the local server includes the preshared API key in the HTML response of the /playground endpoint. The /playground endpoint is enabled by default and does not require authentication. It is intended for local development and debugging and is not designed to be exposed to production environments. Only those who run OpenFGA with `--authn-method` preshared, with the playground enabled, and with the playground endpoint accessible beyond localhost or trusted networks are vulnerable. To remediate the issue, users should upgrade to OpenFGA v1.14.0, or disable the playground by running `./openfga run --playground-enabled=false.`"}], "id": "CVE-2026-40293", "lastModified": "2026-04-20T19:03:07.607", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-17T21:16:34.567", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/openfga/openfga/releases/tag/v1.14.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/openfga/openfga/security/advisories/GHSA-68m9-983m-f3v5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.1.4,1.14.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openfga", "source": "cna", "vendor": "openfga"}, "product": "openfga", "vendor": "openfga"}], "analysis": {"en": {"generated_at": "2026-04-18T08:58:23.158401+00:00", "value": {"mitigation_remediation": ["Upgrade OpenFGA to version 1.14.0 or later to eliminate the key exposure.", "If an upgrade is not yet possible, disable the playground feature by running ./openfga run --playground-enabled=false.", "In production deployments, avoid using preshared\u2011key authentication and ensure the playground is either disabled or restricted to trusted local networks."], "summary": {"action": "Immediate Patch", "impact": "Exposes preshared API key in playground response"}, "threat_synthesis": {"affected_systems": "Products affected are OpenFGA, version range 0.1.4 through 1.13.1. The issue exists only when the server is started with the --authn-method preshared flag and the playground is enabled (the default). Systems that restrict the /playground endpoint to localhost or otherwise protected networks are not vulnerable. All other OpenFGA versions are unaffected.", "description_and_impact": "The vulnerability in OpenFGA occurs when the playground feature is enabled and the server is configured to use preshared\u2011key authentication. In this configuration, requests to the /playground endpoint return the API key as part of the HTML payload. This disclosure of a secret credential can lead to credential compromise, allowing an attacker who can reach the host to authenticate to the service with elevated privileges. The weakness is an information\u2011disclosure flaw, categorized as CWE\u2011200.", "risk_and_exploitability": "The issue has a CVSS score of 6.5, indicating moderate severity. There is no EPSS score available and the vulnerability is not listed in CISA's KEV catalog. The likely attack vector is a network attacker who can reach the OpenFGA host and send an HTTP request to /playground. Because the endpoint requires no authentication, the attacker can obtain the preshared key directly. Once the key is known, it can be used to authenticate to the server, potentially giving the attacker full control over the authorization engine. The condition of the playground being accessible beyond localhost or from untrusted networks is a prerequisite, so securing the endpoint or disabling the playground mitigates the risk."}}}}, "created": "2026-04-17T22:30:29.501507+00:00", "updated": "2026-04-18T09:00:05.903045+00:00", "vendors": ["openfga", "openfga$PRODUCT$openfga"]}