Open Policy Agent

by Open Policy Agentv1.7.1

Last updated Jun 8, 2026

Open Policy Agent (OPA) is an open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack.

Install with winget

$ winget install --id open-policy-agent.opa --exact --version 1.7.1

Run in Command Prompt, PowerShell, or Windows Terminal. Prompts for any agreements.

Built by Pckgr

For Intune admins

Stop chasing app updates. Pckgr patches them for you.

Automated application patching for Microsoft Intune. Pckgr keeps a curated library of 1,000+ apps continuously up-to-date in your tenant via Microsoft Graph - no manual repackaging, no chasing vendor sites.

Start free 30-day trial

No credit card required.

Installers · v1.7.1

Architecture	Type	Scope	Install	Download
x64	Portable	-		Direct

Copy a command tailored to that specific architecture, type, and scope - useful when winget would otherwise pick a different default.

Security

5 known CVEs via NVD

medium6.1Patched in wingetCVE-2024-8260affects before 0.68.0Aug 30, 2024
A SMB force-authentication vulnerability exists in all versions of OPA for Windows prior to v0.68.0. The vulnerability exists because of improper input validation, allowing a user to pass an arbitrary SMB share instead of a Rego file as an argument to OPA CLI or to one of the OP...
high7.4Patched in wingetCVE-2022-36085affects before 0.43.1Sep 8, 2022
Open Policy Agent (OPA) is an open source, general-purpose policy engine. The Rego compiler provides a (deprecated) `WithUnsafeBuiltins` function, which allows users to provide a set of built-in functions that should be deemed unsafe — and as such rejected — by the compiler if e...
Patch
high7.5Patched in wingetCVE-2022-33082affects before 0.42.0Jun 30, 2022
An issue in the AST parser (ast/compile.go) of Open Policy Agent v0.10.2 allows attackers to cause a Denial of Service (DoS) via a crafted input.
high7.5Patched in wingetCVE-2022-28946affects v0.39.0May 19, 2022
An issue in the component ast/parser.go of Open Policy Agent v0.39.0 causes the application to incorrectly interpret every expression, causing a Denial of Service (DoS) via triggering out-of-range memory access.
Patch
medium6.3Patched in wingetCVE-2022-23628affects before 0.37.0Feb 9, 2022
OPA is an open source, general-purpose policy engine. Under certain conditions, pretty-printing an abstract syntax tree (AST) that contains synthetic nodes could change the logic of some statements by reordering array literals. Example of policies impacted are those that parse a...
Patch

Source: NVD, updated just now. Patch status is best-effort: NVD's fix version is compared against the latest version in winget, but the two version formats don't always align. Confirm with the vendor advisory before treating any specific build as safe.

See a CVE that affects your fleet? Push the patched version to Intune in one click with Pckgr - automated patching is the only way to keep up.

Frequently asked questions

How do I install Open Policy Agent on Windows?

Open Windows Terminal, PowerShell, or Command Prompt and run: winget install --id open-policy-agent.opa --exact --version 1.7.1. winget downloads the installer from Open Policy Agent and runs it. Requires Windows 10 (1809+) or Windows 11.

How do I install Open Policy Agent silently for unattended deployment?

Add --silent and accept the agreements upfront: winget install --id open-policy-agent.opa --exact 1.7.1 --silent --accept-package-agreements --accept-source-agreements. This is the variant Intune, Configuration Manager, and other deployment tools should use.

How do I uninstall Open Policy Agent via winget?

Run: winget uninstall --id open-policy-agent.opa --exact. Add --silent for unattended uninstalls. winget will use the registered uninstaller from Open Policy Agent's Apps & Features entry.

Is Open Policy Agent free?

Open Policy Agent is distributed under Apache-2.0. Refer to the publisher for the full license terms - Wingetly itself does not charge for installation.

Does Open Policy Agent work on Windows 10?

Yes, as long as your Windows 10 build supports winget (1809 or newer). winget ships with App Installer on Windows 10/11 and pulls Open Policy Agent directly from the publisher.

How do I keep Open Policy Agent up to date?

Run winget upgrade --id open-policy-agent.opa --exact, or winget upgrade --all to update everything winget tracks. We index 3 versions of Open Policy Agent from microsoft/winget-pkgs.

Recent versions

1.7.1latest
1.3.0
0.58