CVE-2026-40091

SpiceDB is an open source database system for creating and managing security-critical application permissions. In versions 1.49.0 through 1.51.0, when SpiceDB starts with log level info, the startup "configuration" log will include the full datastore DSN, including the plaintext password, inside...

Insecure Inherited Permissions

Overview Affected versions of this package are vulnerable to Insecure Inherited Permissions in the LookupResources API. An attacker can cause incomplete or missing results to be returned by crafting schemas that define permissions using unions referencing the same relation with different...

EUVD-2024-0930

Malicious code in bioql PyPI...

PT-2025-24316 · Spicedb · Spicedb

Name of the Vulnerable Software and Affected Versions: SpiceDB versions prior to 1.44.2 Description: The issue affects SpiceDB, an open source database for storing and querying fine-grained authorization data. On schemas involving arrows with caveats on the arrow'ed relation, when the path to...

Privilege Escalation

github.com/authzed/spicedb is vulnerable to Privilege Escalation. The vulnerability is due to a bug in the LookupResources2 feature, where requests with caveats in the evaluation path may return a CONDITIONAL permissionship with missing context, even when the context was provided...

Authorization Bypass

github.com/authzed/spicedb is vulnerable to Authorization Bypass. The vulnerability is due to incorrect handling of multiple caveats on the same indirect subject type. It allows an attacker to deny legitimate access, resulting in incorrect "no permission" responses when permissions should be...

Improper Input Validation

spicedb is vulnerable to improper input validation. The vulnerability exists due to wrongly implemented wildcard which allows an attacker to perform unauthenticated actions with wildcard permissions...