Lucene search
K
AuthzedSpicedb

13 matches found

CVE
CVE
added 2023/04/14 7:1 p.m.515 views

CVE-2023-29193

CVE-2023-29193 affects SpiceDB. The issue: the metrics service exposes the /debug/pprof/cmdline endpoint, which can reveal the spiceDB server’s command-line flags, including a configured --grpc-preshared-key, if exposed publicly on the metrics port. Impact: most production deployments following r...

8.7CVSS8.2AI score0.00762EPSS
Web
CVE
CVE
added 2024/06/20 10:18 p.m.329 views

CVE-2024-38361

SpiceDB (spicedb) vulnerability CVE-2024-38361 affects the permission-check flow: an exclusion under an arrow with multiple resources may cause a NO_PERMISSION response when PERMISSION is expected on CheckPermission, due to a failure in the exclusion dispatcher to query all folders a user can acc...

5.3CVSS3.8AI score0.00396EPSS
CVE
CVE
added 2024/03/01 9:1 p.m.316 views

CVE-2024-27101

CVE-2024-27101 affects SpiceDB (Google Zanzibar-inspired permissions store). The root cause is an integer overflow in the chunking helper, which can cause dispatching to miss elements or panic when a resource has more than 65,535 relationships for a given resource and subject type. Affected API m...

9.1CVSS7AI score0.00456EPSS
CVE
CVE
added 2024/04/10 10:25 p.m.294 views

CVE-2024-32001

Summary: CVE-2024-32001 affects SpiceDB. A bug in relations of the form folder: folder | folder#parent, when the same subject type is used multiple times and an arrow is used over the relation, can cause LookupSubjects to return only a subset of subjects. This affects any user making a negative a...

4.3CVSS3.7AI score0.00578EPSS
CVE
CVE
added 2023/10/31 3:25 p.m.287 views

CVE-2023-46255

SpiceDB (open source, Google Zanzibar-inspired permissions store) has a log exposure flaw: if the datastore URI is malformed (for example, a password containing a colon), the full URI including the password is printed to logs. This is addressed in version 1.27.0-rc1. Upgrade to 1.27.0-rc1 or late...

6.5CVSS5.2AI score0.00391EPSS
CVE
CVE
added 2022/01/11 9:50 p.m.97 views

CVE-2022-21646

SpiceDB vulnerability CVE-2022-21646 affects wildcard handling in lookups: using a wildcard on the right side of an intersection or within an exclusion can cause Lookup/LookupResources to treat resources as accessible when they are not. In v1.3.0 the wildcard was ignored in dispatch, making the b...

8.1CVSS8AI score0.01472EPSS
CVE
CVE
added 2024/10/14 8:22 p.m.92 views

CVE-2024-48909

Technical details for CVE-2024-48909 are not publicly available in the provided documents; monitor for updates.

2.4CVSS3.3AI score0.00307EPSS
CVE
CVE
added 2024/09/18 5:29 p.m.78 views

CVE-2024-46989

CVE-2024-46989 affects SpiceDB (spicedb): having multiple caveats on resources of the same indirect subject type within the same relation can cause CheckPermission to return NO_PERMISSION instead of PERMISSION when expected. The issue can occur when a resource has multiple groups and each is cave...

5.3CVSS3.9AI score0.0029EPSS
CVE
CVE
added 2025/06/06 5:36 p.m.63 views

CVE-2025-49011

SpiceDB (v1.44.x) vulnerability: when resolving CheckPermission paths that involve arrows with caveats, the evaluation across multiple caveated branches may incorrectly return NO_PERMISSION instead of PERMISSION. Root cause is in caveats on an arrow’ed relation affecting multi-branch permission c...

5.3CVSS7.1AI score0.00266EPSS
CVE
CVE
added 2025/11/10 10:28 p.m.58 views

CVE-2025-64529

SpiceDB prior to v1.45.2 is affected when the exclusion operator is used and a per-call payload is large due to --write-relationships-max-updates-per-call > 6500. In this scenario, WriteRelationships can return success for a failed operation and produce incorrect permission results if the affe...

6.9CVSS6.3AI score0.0024EPSS
CVE
CVE
added 2023/06/26 7:32 p.m.40 views

CVE-2023-35930

SpiceDB's LookupResources may return partial results in v1.22.0, allowing some subjects to slip through or be incorrectly denied. The root cause is using LookupResources for negative authorization decisions. Upgrade to v1.22.2 to patch the issue, or avoid using LookupResources for negative decisi...

5.3CVSS4.5AI score0.00448EPSS
CVE
CVE
added 2025/11/21 10:2 p.m.12 views

CVE-2025-65111

CVE-2025-65111 affects SpiceDB prior to version 1.47.1. Affected behavior: when a schema defines a permission as a union and the union references the same relation on both sides (but one side points to a different permission), the LookupResources API may return incomplete results. Other APIs calc...

6.3CVSS6.3AI score0.0019EPSS
CVE
CVE
added 2026/04/14 11:50 p.m.9 views

CVE-2026-40091

SpiceDB 1.49.0–1.51.0 logs startup configuration with the full datastore DSN (DatastoreConfig.URI), including plaintext password, when the log level is info. This exposes credentials in startup logs. The issue is fixed in 1.51.1. If upgrading is not possible, the recommended workaround is to set ...

6CVSS5.8AI score0.00166EPSS