CVSS: 3.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-49011 – SpiceDB checks involving relations with caveats can result in no permission when permission is expected
https://notcve.org/view.php?id=CVE-2025-49011
06 Jun 2025 — SpiceDB is an open source database for storing and querying fine-grained authorization data. Prior to version 1.44.2, on schemas involving arrows with caveats on the arrow’ed relation, when the path to resolve a CheckPermission request involves the evaluation of multiple caveated branches, requests may return a negative response when a positive response is expected. Version 1.44.2 fixes the issue. As a workaround, do not use caveats in the schema over an arrow’ed relation. SpiceDB es una base de datos de có... • https://github.com/authzed/spicedb/commit/fe8dd9f491f6975b3408c401e413a530eb181a67 • CWE-358: Improperly Implemented Security Check for Standard •
CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-48909 – SpiceDB calls to LookupResources using LookupResources2 with caveats may return context is missing when it is not
https://notcve.org/view.php?id=CVE-2024-48909
14 Oct 2024 — SpiceDB is an open source database for scalably storing and querying fine-grained authorization data. Starting in version 1.35.0 and prior to version 1.37.1, clients that have enabled `LookupResources2` and have caveats in the evaluation path for their requests can return a permissionship of `CONDITIONAL` with context marked as missing, even then the context was supplied. LookupResources2 is the new default in SpiceDB 1.37.0 and has been opt-in since SpiceDB 1.35.0. The bug is patched as part of SpiceDB 1.3... • https://github.com/authzed/spicedb/commit/2f3cf77a7fcfcb478ef5a480a245842c96ac8853 • CWE-172: Encoding Error •
CVSS: 3.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-46989 – Multiple caveats on resources of the same type can result in no permission when permission is expected
https://notcve.org/view.php?id=CVE-2024-46989
18 Sep 2024 — spicedb is an Open Source, Google Zanzibar-inspired permissions database to enable fine-grained authorization for customer applications. Multiple caveats over the same indirect subject type on the same relation can result in no permission being returned when permission is expected. If the resource has multiple groups, and each group is caveated, it is possible for the returned permission to be "no permission" when permission is expected. Permission is returned as NO_PERMISSION when PERMISSION is expected on... • https://github.com/authzed/spicedb/commit/d4ef8e1dbce1eafaf25847f4c0f09738820f5bf2 • CWE-269: Improper Privilege Management •
CVSS: 3.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38361 – Permissions processing error in spacedb
https://notcve.org/view.php?id=CVE-2024-38361
20 Jun 2024 — Spicedb is an Open Source, Google Zanzibar-inspired permissions database to enable fine-grained authorization for customer applications. Use of an exclusion under an arrow that has multiple resources may resolve to `NO_PERMISSION` when permission is expected. If the resource exists under *multiple* folders and the user has access to view more than a single folder, SpiceDB may report the user does not have access due to a failure in the exclusion dispatcher to request that *all* the folders in which the user... • https://github.com/authzed/spicedb/commit/ecef31d2b266fde17eb2c3415e2ec4ceff96fbeb • CWE-281: Improper Preservation of Permissions •
CVSS: 2.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32001 – SpiceDB: LookupSubjects may return partial results if a specific kind of relation is used
https://notcve.org/view.php?id=CVE-2024-32001
10 Apr 2024 — SpiceDB is a graph database purpose-built for storing and evaluating access control data. Use of a relation of the form: `relation folder: folder | folder#parent` with an arrow such as `folder->view` can cause LookupSubjects to only return the subjects found under subjects for either `folder` or `folder#parent`. This bug only manifests if the same subject type is used multiple types in a relation, relationships exist for both subject types and an arrow is used over the relation. Any user making a negative a... • https://github.com/authzed/spicedb/commit/a244ed1edfaf2382711dccdb699971ec97190c7b • CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27101 – Integer overflow in chunking helper causes dispatching to miss elements or panic
https://notcve.org/view.php?id=CVE-2024-27101
01 Mar 2024 — SpiceDB is an open source, Google Zanzibar-inspired database for creating and managing security-critical application permissions. Integer overflow in chunking helper causes dispatching to miss elements or panic. Any SpiceDB cluster with any schema where a resource being checked has more than 65535 relationships for the same resource and subject type is affected by this problem. The CheckPermission, BulkCheckPermission, and LookupSubjects API methods are affected. This vulnerability is fixed in 1.29.2. • https://github.com/authzed/spicedb/commit/ef443c442b96909694390324a99849b0407007fe • CWE-190: Integer Overflow or Wraparound •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46255 – `SPICEDB_DATASTORE_CONN_URI` is leaked when URI cannot be parsed
https://notcve.org/view.php?id=CVE-2023-46255
31 Oct 2023 — SpiceDB is an open source, Google Zanzibar-inspired database for creating and managing security-critical application permissions. Prior to version 1.27.0-rc1, when the provided datastore URI is malformed (e.g. by having a password which contains `:`) the full URI (including the provided password) is printed, so that the password is shown in the logs. Version 1.27.0-rc1 patches this issue. SpiceDB es una base de datos de código abierto inspirada en Google Zanzíbar para crear y administrar permisos de aplicac... • https://github.com/authzed/spicedb/commit/ae50421b80f895e4c98d999b18e06b6f1e6f1cf8 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35930 – LookupResources may return partial results in spicedb
https://notcve.org/view.php?id=CVE-2023-35930
26 Jun 2023 — SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions. Any user making a negative authorization decision based on the results of a `LookupResources` request with 1.22.0 is affected. For example, using `LookupResources` to find a list of resources to allow access to be okay: some subjects that should have access to a resource may not. But if using `LookupResources` to find a list of banned resources instead, then some users th... • https://github.com/authzed/spicedb/pull/1397 • CWE-913: Improper Control of Dynamically-Managed Code Resources •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2023-29193 – SpiceDB binding metrics port to untrusted networks and can leak command-line flags
https://notcve.org/view.php?id=CVE-2023-29193
14 Apr 2023 — SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions. The `spicedb serve` command contains a flag named `--grpc-preshared-key` which is used to protect the gRPC API from being accessed by unauthorized requests. The values of this flag are to be considered sensitive, secret data. The `/debug/pprof/cmdline` endpoint served by the metrics service (defaulting running on port `9090`) reveals the command-line flags provided for de... • https://github.com/authzed/spicedb/commit/9bbd7d76b6eaba33fe0236014f9b175d21232999 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-21646 – Lookup operations do not take into account wildcards in SpiceDB
https://notcve.org/view.php?id=CVE-2022-21646
11 Jan 2022 — SpiceDB is a database system for managing security-critical application permissions. Any user making use of a wildcard relationship under the right hand branch of an `exclusion` or within an `intersection` operation will see `Lookup`/`LookupResources` return a resource as "accessible" if it is *not* accessible by virtue of the inclusion of the wildcard in the intersection or the right side of the exclusion. In `v1.3.0`, the wildcard is ignored entirely in lookup's dispatch, resulting in the `banned` wildcar... • https://github.com/authzed/spicedb/commit/15bba2e2d2a4bda336a37a7fe8ef8a35028cd970 • CWE-20: Improper Input Validation CWE-155: Improper Neutralization of Wildcards or Matching Symbols •