PT-2026-42696 · Go+1 · Github.Com/Authzed/Spicedb+1
Published
2026-05-21
·
Updated
2026-06-10
·
CVE-2026-46668
CVSS v4.0
2.3
Low
| Vector | AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
SpiceDB versions 1.15.0 through 1.51.x
Description
Caveat structures containing nested lists can lead to improper cache reuse. This occurs when the system processes these structures using the 'CheckBulkPermissions' endpoint or the 'LookupResources' endpoint while the
--experimental-lookup-resources-version flag is set to lr3. An attacker could potentially trigger a request where identical check items or resources differ only by their caveat context, causing the system to erroneously grant access to a resource that the user should not be able to access.Recommendations
Update to version 1.52.0.
Disable the
--experimental-lookup-resources-version flag if using version 3 of 'LookupResources'.
Refactor the caveat declaration structure to avoid using lists of lists, utilizing other composite structures instead.Fix
Improper Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Github.Com/Authzed/Spicedb
Spicedb