Lowecordell

**Name of the Vulnerable Software and Affected Versions** SpiceDB versions prior to v1.30.1 **Description** The issue arises from the use of a specific relation form, `relation folder: folder | folder#parent`, combined with an arrow, such as `folder->view`, which can cause LookupSubjects to return only partial results. This occurs when the same subject type is used multiple times in a relation, and relationships exist for both subject types, along with the use of an arrow over the relation. Any user relying on LookupSubjects for negative authorization decisions with versions before v1.30.1 is affected. **Recommendations** For versions prior to v1.30.1, update to version v1.30.1 to resolve the issue. As a temporary workaround, consider avoiding the use of LookupSubjects for negative authorization decisions and/or avoid using the broken schema.

**Name of the Vulnerable Software and Affected Versions** SpiceDB version 1.22.0 **Description** The issue affects users making negative authorization decisions based on the results of a `LookupResources` request. This can lead to incorrect access control, where some subjects may not have access to resources they should, or some users may have access to resources they should not. The `LookupResources` function is not intended for gating access and should be used in conjunction with the `Check` API. Version 1.22.0 includes a warning about this bug. Users are advised to upgrade to version 1.22.2 to resolve the issue. **Recommendations** For SpiceDB version 1.22.0, upgrade to version 1.22.2 to resolve the issue. If unable to upgrade, avoid using `LookupResources` for negative authorization decisions as a temporary workaround.