Description
SpiceDB is an open source database system for creating and managing security-critical application permissions. From version 1.15.0 to before version 1.52.0, caveat structures with nested lists can result in improper cache reuse. This issue has been patched in version 1.52.0.
Published: 2026-06-10
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in SpiceDB versions between 1.15.0 and before 1.52.0 allows caveat structures that contain nested lists to trigger incorrect cache reuse. As a result, permission checks can return an authorization verdict that does not accurately reflect the defined rules, potentially granting unintended access to protected resources or actions.

Affected Systems

The affected product is SpiceDB from the Authzed vendor. Versions starting with 1.15.0 up through the latest release that precedes 1.52.0 are susceptible. The patch was applied in release 1.52.0.

Risk and Exploitability

The CVSS score of 2.3 indicates a low severity, and the EPSS score of < 1% indicates a very low likelihood of exploitation. The vulnerability is not listed in CISA's KEV catalog. The attack vector is not explicitly stated in the advisory, but the flaw involves the handling of caveat data, so it is likely exploitable in contexts where an attacker can influence or craft caveat structures—either directly via the API or indirectly through data injection. An attacker who can craft such caveats could potentially bypass authorization checks and access resources they are not entitled to.

Generated by OpenCVE AI on June 26, 2026 at 02:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SpiceDB to version 1.52.0 or newer.
  • Restart all SpiceDB instances to ensure the updated code and cache are in use.
  • Validate that the cache is properly refreshed by running test authorization scenarios that involve caveats with nested lists.

Generated by OpenCVE AI on June 26, 2026 at 02:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mqcf-gqvg-rmhm SpiceDB: Caveat structures with nested lists can result in improper cache reuse
History

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-237
References
Metrics threat_severity

None

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

threat_severity

Moderate


Thu, 11 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 10 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Authzed
Authzed spicedb
Vendors & Products Authzed
Authzed spicedb

Wed, 10 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description SpiceDB is an open source database system for creating and managing security-critical application permissions. From version 1.15.0 to before version 1.52.0, caveat structures with nested lists can result in improper cache reuse. This issue has been patched in version 1.52.0.
Title SpiceDB: Caveat structures with nested lists can result in improper cache reuse
Weaknesses CWE-285
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-11T16:15:36.256Z

Reserved: 2026-05-15T21:46:51.546Z

Link: CVE-2026-46668

cve-icon Vulnrichment

Updated: 2026-06-11T12:29:34.302Z

cve-icon NVD

Status : Deferred

Published: 2026-06-10T22:16:59.893

Modified: 2026-06-11T15:35:45.203

Link: CVE-2026-46668

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-10T20:11:44Z

Links: CVE-2026-46668 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T02:15:15Z

Weaknesses
  • CWE-237

    Improper Handling of Structural Elements

  • CWE-285

    Improper Authorization