CVE-2024-32001

Name of the Vulnerable Software and Affected Versions SpiceDB versions prior to v1.30.1

Description The issue arises from the use of a specific relation form, relation folder: folder | folder#parent, combined with an arrow, such as folder->view, which can cause LookupSubjects to return only partial results. This occurs when the same subject type is used multiple times in a relation, and relationships exist for both subject types, along with the use of an arrow over the relation. Any user relying on LookupSubjects for negative authorization decisions with versions before v1.30.1 is affected.

Recommendations For versions prior to v1.30.1, update to version v1.30.1 to resolve the issue. As a temporary workaround, consider avoiding the use of LookupSubjects for negative authorization decisions and/or avoid using the broken schema.