Skip to content

security: bump openfga to v1.18.1, fixes GO-2026-5423#643

Merged
lakhansamani merged 1 commit into
mainfrom
security/bump-openfga-oidc-cve
Jul 7, 2026
Merged

security: bump openfga to v1.18.1, fixes GO-2026-5423#643
lakhansamani merged 1 commit into
mainfrom
security/bump-openfga-oidc-cve

Conversation

@lakhansamani

Copy link
Copy Markdown
Contributor

Summary

govulncheck has been failing on main since ~2026-06-29 (unrelated to any in-flight feature work): github.com/openfga/openfga@v1.17.1 has a published advisory, GO-2026-5423 — OIDC audience validation is skipped when --authn-oidc-audience is unset.

We embed the FGA server in-process via server.NewServerWithOpts(server.WithDatastore(ds)) (internal/authorization/engine/openfga/openfga.go) and never wire its OIDC authn middleware or CLI flags, so the vulnerable code path isn't reachable at runtime. govulncheck still flags it because the vulnerable symbols are statically reachable through the server package's call graph — a false-positive from an exploitability standpoint, but a real CI gate failure.

Change

Bump github.com/openfga/openfga v1.17.1 → v1.18.1 (latest patch on top of the v1.18.0 fix version).

Test plan

  • go build ./... clean
  • go vet ./... clean
  • make lint-go — 0 issues
  • TEST_DBS=sqlite go test -p 1 ./internal/authorization/... ./internal/service/... — pass
  • make test-sqlite (full integration suite) — pass
  • govulncheck ./... — no vulnerabilities found

github.com/openfga/openfga@v1.17.1 skips OIDC audience validation when
--authn-oidc-audience is unset. We embed the FGA server in-process via
server.WithDatastore and never wire its OIDC authn middleware, so the
vulnerable path isn't reachable at runtime, but govulncheck flags it
via static call-graph reachability and fails CI on every branch.
@lakhansamani lakhansamani merged commit 1401fdb into main Jul 7, 2026
4 checks passed
@lakhansamani lakhansamani deleted the security/bump-openfga-oidc-cve branch July 7, 2026 08:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant