Primary

Context

OpenFGA Preshared Key Exposure Vulnerability in Playground Endpoint

Vulnerability

Patched

A vulnerability exists in OpenFGA versions 0.1.4 through 1.13.1, where the preshared API key is inadvertently exposed in the HTML response of the /playground endpoint. This issue arises when OpenFGA is configured to use preshared-key authentication, with the playground enabled and accessible beyond localhost or trusted networks. The /playground endpoint, which is enabled by default and does not require authentication, is intended for local development and debugging, not for production environments.

Impact

Exposing the preshared API key in the /playground endpoint response could allow unauthorized users to gain access to the API with the exposed key, potentially leading to unauthorized actions or data access.

Remediation

Users should upgrade to OpenFGA version 1.14.0 or disable the playground feature by running OpenFGA with the '--playground-enabled=false' option.

Added: Apr 17, 2026, 10:08 PM

Updated: Apr 17, 2026, 10:08 PM

Vulnerability Rating

Custom Algorithm

spread

1.4

impact

2.5

exploitability

7.8

remediation

8.3

relevance

6.1

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.4

impact

2.5

exploitability

7.8

remediation

8.3

relevance

6.1

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenFGA Preshared Key Exposure Vulnerability in Playground Endpoint

Vulnerability

Impact

Remediation

Affected Products

OpenFGA

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating