Description
SpiceDB is an open source database system for creating and managing security-critical application permissions. From version 1.15.0 to before version 1.52.0, caveat structures with nested lists can result in improper cache reuse. This issue has been patched in version 1.52.0.
Published: 2026-06-10
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in SpiceDB versions between 1.15.0 and before 1.52.0 allows caveat structures that contain nested lists to trigger incorrect cache reuse. As a result, permission checks can return an authorization verdict that does not accurately reflect the defined rules, potentially granting unintended access to protected resources or actions.

Affected Systems

The affected product is SpiceDB from the Authzed vendor. Versions starting with 1.15.0 up through the latest release that precedes 1.52.0 are susceptible. The patch was applied in release 1.52.0.

Risk and Exploitability

The CVSS score of 2.3 indicates a low severity, and the EPSS score is not available, suggesting limited known exploitation. The vulnerability is not listed in CISA's KEV catalog. The attack vector is not explicitly stated in the advisory, but the flaw involves the handling of caveat data, so it is likely exploitable in contexts where an attacker can influence or craft caveat structures—either directly via the API or indirectly through data injection. An attacker who can craft such caveats could potentially bypass authorization checks and access resources they are not entitled to.

Generated by OpenCVE AI on June 10, 2026 at 23:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SpiceDB to version 1.52.0 or newer.
  • Restart all SpiceDB instances to ensure the updated code and cache are in use.
  • Validate that the cache is properly refreshed by running test authorization scenarios that involve caveats with nested lists.

Generated by OpenCVE AI on June 10, 2026 at 23:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mqcf-gqvg-rmhm SpiceDB: Caveat structures with nested lists can result in improper cache reuse
History

Wed, 10 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Authzed
Authzed spicedb
Vendors & Products Authzed
Authzed spicedb

Wed, 10 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description SpiceDB is an open source database system for creating and managing security-critical application permissions. From version 1.15.0 to before version 1.52.0, caveat structures with nested lists can result in improper cache reuse. This issue has been patched in version 1.52.0.
Title SpiceDB: Caveat structures with nested lists can result in improper cache reuse
Weaknesses CWE-285
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Authzed Spicedb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T20:11:44.193Z

Reserved: 2026-05-15T21:46:51.546Z

Link: CVE-2026-46668

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T22:16:59.893

Modified: 2026-06-10T22:16:59.893

Link: CVE-2026-46668

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T23:45:44Z

Weaknesses