Listen to this Post
The vulnerability arises when OpenFGA is configured to use preshared-key authentication (--authn-method preshared) with the built‑in playground enabled (default state). The playground endpoint (/playground) does not require authentication and is intended solely for local development and debugging. When a user accesses the `/playground` endpoint, the server returns an HTML page that inadvertently includes the preshared API key within the HTML response. This occurs because the server embeds the authentication key into the page’s content, likely for internal use by the playground’s JavaScript. Since the endpoint is exposed without authentication and is not designed for production environments, any remote attacker who can reach this endpoint can retrieve the preshared key simply by viewing the HTML source of the page. The disclosure of the key then allows the attacker to impersonate legitimate API clients, bypassing the intended authentication mechanism. The attack requires no privileges, user interaction, or complex exploitation steps – only network access to the vulnerable `/playground` endpoint. The vulnerability affects all OpenFGA versions from v0.1.4 through v1.13.1 that are run with preshared‑key authentication and the playground enabled and accessible beyond localhost or trusted networks.
Platform: OpenFGA
Version: >=0.1.4, <=1.13.1
Vulnerability : Preshared‑key exposure via /playground
Severity: Medium (CVSS 6.5)
date: 2026-04-08
Prediction: Patch released 2026-04-08 (v1.14.0)
What Undercode Say:
Check if playground is enabled (default: true)
curl -s http://target:8080/playground | grep -i "preshared"
Disable playground immediately
./openfga run --playground-enabled=false
Or set environment variable
export OPENFGA_PLAYGROUND_ENABLED=false
./openfga run
Verify playground is disabled
curl -s -o /dev/null -w "%{http_code}" http://target:8080/playground
Should return 404 or 403
Exploit:
Step 1: Fetch the /playground page curl -s http://vulnerable-host:8080/playground > playground.html Step 2: Extract the preshared key (example pattern) grep -oP 'preshared[=:]["'\''][^"'\'']' playground.html | cut -d'"' -f2 Step 3: Use the stolen key to authenticate as admin curl -H "Authorization: Bearer STOLEN_KEY" http://vulnerable-host:8080/api/...
Protection from this CVE
- Upgrade to OpenFGA v1.14.0 or later.
- Disable playground in production:
--playground-enabled=false. - Restrict network access to `/playground` via firewall/WAF.
- Do not expose the playground endpoint beyond localhost/trusted networks.
Impact
An unauthenticated attacker can retrieve the preshared API key by accessing the `/playground` endpoint. With the key, the attacker can:
– Authenticate to all OpenFGA API endpoints as a privileged client.
– Read, modify, or delete authorization models and tuples.
– Bypass all authentication controls, leading to complete compromise of the OpenFGA instance and any systems relying on its authorization decisions.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

