VYPR
← All advisories
Low severity2.3GHSA Advisory· Published May 21, 2026· Updated May 21, 2026

SpiceDB: Caveat structures with nested lists can result in improper cache reuse

CVE-2026-46668

Description

Impact

Users are impacted if:

  • They have a caveat structure with a nested list, e.g.:
  caveat shape(x list) {
    x == [["a"], "b"]
  }

- Their system exercises that caveat with either CheckBulkPermission or else LookupResources running with the --experimental-lookup-resources-version flag set to lr3, implying they are using the experimental version 3 of LookupResources - An attacker can cause the system to craft a request to SpiceDB where either: 1. It's a CheckBulk request where there are two check items that are identical except for their combined caveat context, and one of the caveat contexts evaluates positively and the other evaluates negatively 2. It's a LookupResources request where two resources have the same evaluation contents except for their caveat context, and one would evaluate positively and the other would evaluate negatively

If all of the above are true, it would be possible for SpiceDB to erroneously return that a user has access to a resource that they do not have access to.

Patches

This problem was addressed in https://github.com/authzed/spicedb/pull/3065 and released in version v1.52.0.

Workarounds

If using v3 of LookupResources, turn the flag off.

If possible, refactor the caveat declaration structure so that it does not operate on a list of lists, but rather any other composite structure.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SpiceDB improper cache reuse in caveat contexts with nested lists can lead to false positive permission results via CheckBulkPermissions or LookupResources.

Vulnerability

CVE-2026-46668 is a low-severity vulnerability in SpiceDB, an authorization database. The issue arises when a caveat structure uses a nested list (e.g., x == [["a"], "b"]). Due to improper cache key collision, requests with identical evaluation contents but different caveat contexts may be cached incorrectly, leading to erroneous permission results [1][2].

Exploitation

An attacker can exploit this by crafting specific requests to CheckBulkPermissions or the experimental version 3 of LookupResources (enabled with --experimental-lookup-resources-version lr3). In CheckBulk, two check items that are identical except for caveat context—one positive and one negative—can cause the negative result to be replaced with the cached positive result. Similarly, in LookupResources, two resources with same evaluation but differing caveat contexts can trigger the same cache reuse [1][2].

Impact

Successful exploitation causes SpiceDB to erroneously report that a user has access to a resource they should not have access to, breaking the intended access control model [1].

Mitigation

The fix was released in SpiceDB version v1.52.0 via pull request #3065 [3]. Users are advised to upgrade. As workarounds, disable the experimental LookupResources v3 flag, or refactor caveat declarations to avoid nested lists if immediate upgrade is not possible [1][2].

References
  1. CVE-2026-46668 - GitHub Advisory Database
  2. Caveat structures with nested lists can result in improper cache reuse
  3. fix: avoid hash collision in caveat context by tstirrat15 · Pull Request #3065 · authzed/spicedb

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Authzed/SpicedbGHSA2 versions
    >= 1.15.0, < 1.52.0+ 1 more
    • (no CPE)range: >= 1.15.0, < 1.52.0
    • (no CPE)range: <1.52.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.