Tim-Mod

**Name of the Vulnerable Software and Affected Versions** spicedb versions prior to 1.35.3 **Description** The issue arises when multiple caveats are applied over the same indirect subject type on the same relation, potentially resulting in no permission being returned when permission is expected. This can occur if a resource has multiple groups, and each group is caveated. The `CheckPermission API` may return `NO PERMISSION` when `PERMISSION` is expected. **Recommendations** For versions prior to 1.35.3, upgrade to release version 1.35.3 to address the issue. As a temporary workaround for users unable to upgrade, consider not using caveats or avoiding the use of caveats on an indirect subject type with multiple entries.