PT-2026-42696

Impact Users are impacted if: - They have a caveat structure with a nested list, e.g.: zed caveat shapex list x == "a", "b" - Their system exercises that caveat with either CheckBulkPermission or else LookupResources running with the --experimental-lookup-resources-version flag set to lr3, implyi...

microcode_ctl security update

2:2.1-73.24.0.20250512 - update microcode bundle to 20250512 Orabug: 38139038 2:2.1-73.23.0.20250211 - update microcode bundle to 20250211 Orabug: 37670820 - drop releasenote.md file 2:2.1-73.20.0.1 - don't bother calling dracut if virtualized Orabug: 35702409 - also rebuild initramfs for...

EUVD-2025-17360

Malicious code in bioql PyPI...

SUSE CVE-2025-49011

SpiceDB is an open source database for storing and querying fine-grained authorization data. Prior to version 1.44.2, on schemas involving arrows with caveats on the arrow'ed relation, when the path to resolve a CheckPermission request involves the evaluation of multiple caveated branches, reques...

GO-2025-3744 SpiceDB checks involving relations with caveats can result in no permission when permission is expected in github.com/authzed/spicedb

SpiceDB checks involving relations with caveats can result in no permission when permission is expected in github.com/authzed/spicedb...

SpiceDB checks involving relations with caveats can result in no permission when permission is expected

Impact On schemas involving arrows with caveats on the arrow’ed relation, when the path to resolve a CheckPermission request involves the evaluation of multiple caveated branches, requests may return a negative response when a positive response is expected. For example, given this schema:...

GHSA-CWWM-HR97-QFXM SpiceDB checks involving relations with caveats can result in no permission when permission is expected

Impact On schemas involving arrows with caveats on the arrow’ed relation, when the path to resolve a CheckPermission request involves the evaluation of multiple caveated branches, requests may return a negative response when a positive response is expected. For example, given this schema:...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization due to the evaluation of multiple caveated branches in the schema. An attacker can receive a NOPERMISSION response when a HASPERMISSION response is expected by exploiting the incorrect handling of caveats in...

CVE-2025-49011

SpiceDB (v1.44.x) vulnerability: when resolving CheckPermission paths that involve arrows with caveats, the evaluation across multiple caveated branches may incorrectly return NO_PERMISSION instead of PERMISSION. Root cause is in caveats on an arrow’ed relation affecting multi-branch permission c...

CVE-2025-49011 SpiceDB checks involving relations with caveats can result in no permission when permission is expected

SpiceDB is an open source database for storing and querying fine-grained authorization data. Prior to version 1.44.2, on schemas involving arrows with caveats on the arrow’ed relation, when the path to resolve a CheckPermission request involves the evaluation of multiple caveated branches, reques...

PT-2025-24316 · Spicedb · Spicedb

Name of the Vulnerable Software and Affected Versions: SpiceDB versions prior to 1.44.2 Description: The issue affects SpiceDB, an open source database for storing and querying fine-grained authorization data. On schemas involving arrows with caveats on the arrow'ed relation, when the path to...

GO-2024-3131 SpiceDB having multiple caveats on resources of the same type may improperly result in no permission in github.com/authzed/spicedb

SpiceDB having multiple caveats on resources of the same type may improperly result in no permission in github.com/authzed/spicedb...

CVE-2024-46989

spicedb is an Open Source, Google Zanzibar-inspired permissions database to enable fine-grained authorization for customer applications. Multiple caveats over the same indirect subject type on the same relation can result in no permission being returned when permission is expected. If the resourc...

SpiceDB having multiple caveats on resources of the same type may improperly result in no permission

Background Multiple caveats over the same indirect subject type on the same relation can result in no permission being returned when permission is expected For example, given this schema: definition user caveat somecaveatsomefield int somefield == 42 definition group relation member: user...

GHSA-JHG6-6QRX-38MR SpiceDB having multiple caveats on resources of the same type may improperly result in no permission

Background Multiple caveats over the same indirect subject type on the same relation can result in no permission being returned when permission is expected For example, given this schema: definition user caveat somecaveatsomefield int somefield == 42 definition group relation member: user...

CVE-2024-46989

CVE-2024-46989 affects SpiceDB (spicedb): having multiple caveats on resources of the same indirect subject type within the same relation can cause CheckPermission to return NO_PERMISSION instead of PERMISSION when expected. The issue can occur when a resource has multiple groups and each is cave...

CVE-2024-46989 Multiple caveats on resources of the same type can result in no permission when permission is expected

spicedb is an Open Source, Google Zanzibar-inspired permissions database to enable fine-grained authorization for customer applications. Multiple caveats over the same indirect subject type on the same relation can result in no permission being returned when permission is expected. If the resourc...

CVE-2024-46989 Multiple caveats on resources of the same type can result in no permission when permission is expected

spicedb is an Open Source, Google Zanzibar-inspired permissions database to enable fine-grained authorization for customer applications. Multiple caveats over the same indirect subject type on the same relation can result in no permission being returned when permission is expected. If the resourc...

CVE-2024-46989 Multiple caveats on resources of the same type can result in no permission when permission is expected

spicedb is an Open Source, Google Zanzibar-inspired permissions database to enable fine-grained authorization for customer applications. Multiple caveats over the same indirect subject type on the same relation can result in no permission being returned when permission is expected. If the resourc...

GHSA-2H3H-Q99F-3FHC @npmcli/arborist vulnerable to UNIX Symbolic Link (Symlink) Following

Impact Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution @npmcli/arborist, the library that calculates dependency trees and manages the nodemodules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and t...