SpiceDB checks involving relations with caveats can result in no permission when permission is expected

🗓️ 06 Jun 2025 21:41:00Reported by GitHub Advisory DatabaseType

SpiceDB may incorrectly deny permissions due to caveats in relation checks. Upgrade to v1.44.2.

Reporter	Title	Published	Views	Family All 18
Circl	CVE-2025-49011	6 Jun 202519:23	–	circl
CNNVD	SpiceDB 安全特征问题漏洞	6 Jun 202500:00	–	cnnvd
CVE	CVE-2025-49011	6 Jun 202517:36	–	cve
Cvelist	CVE-2025-49011 SpiceDB checks involving relations with caveats can result in no permission when permission is expected	6 Jun 202517:36	–	cvelist
EUVD	EUVD-2025-17360	3 Oct 202520:07	–	euvd
NVD	CVE-2025-49011	6 Jun 202518:15	–	nvd
OPENSUSE Linux	govulncheck-vulndb-0.0.20250612T141001-1.1 on GA media (moderate)	5 Jul 202500:00	–	opensuse
OSV	CVE-2025-49011 SpiceDB checks involving relations with caveats can result in no permission when permission is expected	6 Jun 202517:36	–	osv
OSV	GHSA-CWWM-HR97-QFXM SpiceDB checks involving relations with caveats can result in no permission when permission is expected	6 Jun 202521:41	–	osv
OSV	GO-2025-3744 SpiceDB checks involving relations with caveats can result in no permission when permission is expected in github.com/authzed/spicedb	10 Jun 202517:17	–	osv

Vulners

Node

authzed spicedbRange≤1.44.0go

Source	Link
github	www.github.com/authzed/spicedb/security/advisories/GHSA-cwwm-hr97-qfxm
nvd	www.nvd.nist.gov/vuln/detail/CVE-2025-49011
github	www.github.com/authzed/spicedb/commit/fe8dd9f491f6975b3408c401e413a530eb181a67
github	www.github.com/authzed/spicedb/releases/tag/v1.44.2
github	www.github.com/advisories/GHSA-cwwm-hr97-qfxm

06 Jun 2025 21:41Current

4Medium risk

Vulners AI Score4

CVSS 3.13.7 - 5.3

EPSS0.0019

SSVC