CVE-2024-46989

Name of the Vulnerable Software and Affected Versions spicedb versions prior to 1.35.3

Description The issue arises when multiple caveats are applied over the same indirect subject type on the same relation, potentially resulting in no permission being returned when permission is expected. This can occur if a resource has multiple groups, and each group is caveated. The CheckPermission API may return NO PERMISSION when PERMISSION is expected.

Recommendations For versions prior to 1.35.3, upgrade to release version 1.35.3 to address the issue. As a temporary workaround for users unable to upgrade, consider not using caveats or avoiding the use of caveats on an indirect subject type with multiple entries.