Improper Authorization

github.com/authzed/spicedb is vulnerable to Improper Authorization. The vulnerability is due to incorrect handling of permission unions referencing the same relation in the LookupResources API, which allows an attacker to bypass expected permission checks by causing incomplete or missing...

Uncaught Exception

Overview Affected versions of this package are vulnerable to Uncaught Exception via the Sections component of the Cursor message. An attacker can cause the process to crash by submitting a malformed or tampered cursor token that triggers a panic during parsing. This is only exploitable if the...

CVE-2025-65111

SpiceDB is an open source database system for creating and managing security-critical application permissions. Prior to version 1.47.1, if a schema includes the following characteristics: permission defined in terms of a union + and that union references the same relation on both sides but one si...

GO-2025-4151 SpiceDB: LookupResources with Multiple Entrypoints across Different Definitions Can Return Incomplete Results in github.com/authzed/spicedb

SpiceDB: LookupResources with Multiple Entrypoints across Different Definitions Can Return Incomplete Results in github.com/authzed/spicedb...

EUVD-2025-198499

SpiceDB is an open source database system for creating and managing security-critical application permissions. Prior to version 1.47.1, if a schema includes the following characteristics: permission defined in terms of a union + and that union references the same relation on both sides but one si...

CVE-2025-65111 SpiceDB's LookupResources with Multiple Entrypoints across Different Definitions Can Return Incomplete Results

SpiceDB is an open source database system for creating and managing security-critical application permissions. Prior to version 1.47.1, if a schema includes the following characteristics: permission defined in terms of a union + and that union references the same relation on both sides but one si...

CVE-2025-65111 SpiceDB's LookupResources with Multiple Entrypoints across Different Definitions Can Return Incomplete Results

SpiceDB is an open source database system for creating and managing security-critical application permissions. Prior to version 1.47.1, if a schema includes the following characteristics: permission defined in terms of a union + and that union references the same relation on both sides but one si...

CVE-2025-65111 SpiceDB's LookupResources with Multiple Entrypoints across Different Definitions Can Return Incomplete Results

SpiceDB is an open source database system for creating and managing security-critical application permissions. Prior to version 1.47.1, if a schema includes the following characteristics: permission defined in terms of a union + and that union references the same relation on both sides but one si...

Insecure Inherited Permissions

Overview Affected versions of this package are vulnerable to Insecure Inherited Permissions in the LookupResources API. An attacker can cause incomplete or missing results to be returned by crafting schemas that define permissions using unions referencing the same relation with different...

PT-2025-47815

Name of the Vulnerable Software and Affected Versions SpiceDB versions prior to 1.47.1 Description SpiceDB is a database system used for managing security-critical application permissions. Versions of SpiceDB prior to 1.47.1 may exhibit incomplete LookupResources results when checking permissions...

EUVD-2023-1842

Malicious code in bioql PyPI...

CVE-2023-35930

SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions. Any user making a negative authorization decision based on the results of a LookupResources request with 1.22.0 is affected. For example, using LookupResources...

GO-2023-1871 SpiceDB's LookupResources may return partial results in github.com/authzed/spicedb

SpiceDB's LookupResources may return partial results in github.com/authzed/spicedb...

Improper Access Control

github.com/authzed/spicedb is vulnerable to Improper Access Control. The vulnerability is caused when a negative authorization decision is based on the results of LookupResources. The Check API should be used instead...

SpiceDB's LookupResources may return partial results

Impact Any user making a negative authorization decision based on the results of a LookupResources request with 1.22.0 is affected. For example, using LookupResources to find a list of resources to allow access to be okay: some subjects that should have access to a resource may not. But if using...

CVE-2023-35930

SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions. Any user making a negative authorization decision based on the results of a LookupResources request with 1.22.0 is affected. For example, using LookupResources...

Authorization

SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions. Any user making a negative authorization decision based on the results of a LookupResources request with 1.22.0 is affected. For example, using LookupResources...

CVE-2023-35930 LookupResources may return partial results in spicedb

SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions. Any user making a negative authorization decision based on the results of a LookupResources request with 1.22.0 is affected. For example, using LookupResources...

PT-2023-25388 · Spicedb · Spicedb

Name of the Vulnerable Software and Affected Versions: SpiceDB version 1.22.0 Description: The issue affects users making negative authorization decisions based on the results of a LookupResources request. This can lead to incorrect access control, where some subjects may not have access to...