Go modules package
github.com/authzed/spicedb
pkg:golang/github.com/authzed/spicedb
Vulnerabilities (13)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-40091 | Med | 6.0 | >= 1.49.0, < 1.51.1 | 1.51.1 | Apr 15, 2026 | SpiceDB is an open source database system for creating and managing security-critical application permissions. In versions 1.49.0 through 1.51.0, when SpiceDB starts with log level info, the startup "configuration" log will include the full datastore DSN, including the plaintext | |
| CVE-2025-65111 | — | < 1.47.1 | 1.47.1 | Nov 21, 2025 | SpiceDB is an open source database system for creating and managing security-critical application permissions. Prior to version 1.47.1, if a schema includes the following characteristics: permission defined in terms of a union (+) and that union references the same relation on bo | ||
| CVE-2025-64529 | — | < 1.45.2 | 1.45.2 | Nov 10, 2025 | SpiceDB is an open source database system for creating and managing security-critical application permissions. In versions prior to 1.45.2, users who use the exclusion operator somewhere in their authorization schema; have configured their SpiceDB server such that `--write-relati | ||
| CVE-2025-49011 | — | < 1.44.2 | 1.44.2 | Jun 6, 2025 | SpiceDB is an open source database for storing and querying fine-grained authorization data. Prior to version 1.44.2, on schemas involving arrows with caveats on the arrow’ed relation, when the path to resolve a CheckPermission request involves the evaluation of multiple caveated | ||
| CVE-2024-48909 | — | >= 1.35.0, < 1.37.1 | 1.37.1 | Oct 14, 2024 | SpiceDB is an open source database for scalably storing and querying fine-grained authorization data. Starting in version 1.35.0 and prior to version 1.37.1, clients that have enabled `LookupResources2` and have caveats in the evaluation path for their requests can return a permi | ||
| CVE-2024-46989 | — | < 1.35.3 | 1.35.3 | Sep 18, 2024 | spicedb is an Open Source, Google Zanzibar-inspired permissions database to enable fine-grained authorization for customer applications. Multiple caveats over the same indirect subject type on the same relation can result in no permission being returned when permission is expecte | ||
| CVE-2024-38361 | — | < 1.33.1 | 1.33.1 | Jun 20, 2024 | Spicedb is an Open Source, Google Zanzibar-inspired permissions database to enable fine-grained authorization for customer applications. Use of an exclusion under an arrow that has multiple resources may resolve to `NO_PERMISSION` when permission is expected. If the resource exis | ||
| CVE-2024-32001 | — | < 1.30.1 | 1.30.1 | Apr 10, 2024 | SpiceDB is a graph database purpose-built for storing and evaluating access control data. Use of a relation of the form: `relation folder: folder | folder#parent` with an arrow such as `folder->view` can cause LookupSubjects to only return the subjects found under subjects for ei | ||
| CVE-2024-27101 | — | < 1.29.2 | 1.29.2 | Mar 1, 2024 | SpiceDB is an open source, Google Zanzibar-inspired database for creating and managing security-critical application permissions. Integer overflow in chunking helper causes dispatching to miss elements or panic. Any SpiceDB cluster with any schema where a resource being checked | ||
| CVE-2023-46255 | — | < 1.27.0-rc1 | 1.27.0-rc1 | Oct 31, 2023 | SpiceDB is an open source, Google Zanzibar-inspired database for creating and managing security-critical application permissions. Prior to version 1.27.0-rc1, when the provided datastore URI is malformed (e.g. by having a password which contains `:`) the full URI (including the p | ||
| CVE-2023-35930 | — | >= 1.22.0, < 1.22.2 | 1.22.2 | Jun 26, 2023 | SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions. Any user making a negative authorization decision based on the results of a `LookupResources` request with 1.22.0 is affected. For example, us | ||
| CVE-2023-29193 | — | < 1.19.1 | 1.19.1 | Apr 14, 2023 | SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions. The `spicedb serve` command contains a flag named `--grpc-preshared-key` which is used to protect the gRPC API from being accessed by unauthor | ||
| CVE-2022-21646 | — | >= 1.3.0, < 1.4.0 | 1.4.0 | Jan 11, 2022 | SpiceDB is a database system for managing security-critical application permissions. Any user making use of a wildcard relationship under the right hand branch of an `exclusion` or within an `intersection` operation will see `Lookup`/`LookupResources` return a resource as "access |
- affected >= 1.49.0, < 1.51.1fixed 1.51.1
SpiceDB is an open source database system for creating and managing security-critical application permissions. In versions 1.49.0 through 1.51.0, when SpiceDB starts with log level info, the startup "configuration" log will include the full datastore DSN, including the plaintext
- CVE-2025-65111Nov 21, 2025affected < 1.47.1fixed 1.47.1
SpiceDB is an open source database system for creating and managing security-critical application permissions. Prior to version 1.47.1, if a schema includes the following characteristics: permission defined in terms of a union (+) and that union references the same relation on bo
- CVE-2025-64529Nov 10, 2025affected < 1.45.2fixed 1.45.2
SpiceDB is an open source database system for creating and managing security-critical application permissions. In versions prior to 1.45.2, users who use the exclusion operator somewhere in their authorization schema; have configured their SpiceDB server such that `--write-relati
- CVE-2025-49011Jun 6, 2025affected < 1.44.2fixed 1.44.2
SpiceDB is an open source database for storing and querying fine-grained authorization data. Prior to version 1.44.2, on schemas involving arrows with caveats on the arrow’ed relation, when the path to resolve a CheckPermission request involves the evaluation of multiple caveated
- CVE-2024-48909Oct 14, 2024affected >= 1.35.0, < 1.37.1fixed 1.37.1
SpiceDB is an open source database for scalably storing and querying fine-grained authorization data. Starting in version 1.35.0 and prior to version 1.37.1, clients that have enabled `LookupResources2` and have caveats in the evaluation path for their requests can return a permi
- CVE-2024-46989Sep 18, 2024affected < 1.35.3fixed 1.35.3
spicedb is an Open Source, Google Zanzibar-inspired permissions database to enable fine-grained authorization for customer applications. Multiple caveats over the same indirect subject type on the same relation can result in no permission being returned when permission is expecte
- CVE-2024-38361Jun 20, 2024affected < 1.33.1fixed 1.33.1
Spicedb is an Open Source, Google Zanzibar-inspired permissions database to enable fine-grained authorization for customer applications. Use of an exclusion under an arrow that has multiple resources may resolve to `NO_PERMISSION` when permission is expected. If the resource exis
- CVE-2024-32001Apr 10, 2024affected < 1.30.1fixed 1.30.1
SpiceDB is a graph database purpose-built for storing and evaluating access control data. Use of a relation of the form: `relation folder: folder | folder#parent` with an arrow such as `folder->view` can cause LookupSubjects to only return the subjects found under subjects for ei
- CVE-2024-27101Mar 1, 2024affected < 1.29.2fixed 1.29.2
SpiceDB is an open source, Google Zanzibar-inspired database for creating and managing security-critical application permissions. Integer overflow in chunking helper causes dispatching to miss elements or panic. Any SpiceDB cluster with any schema where a resource being checked
- CVE-2023-46255Oct 31, 2023affected < 1.27.0-rc1fixed 1.27.0-rc1
SpiceDB is an open source, Google Zanzibar-inspired database for creating and managing security-critical application permissions. Prior to version 1.27.0-rc1, when the provided datastore URI is malformed (e.g. by having a password which contains `:`) the full URI (including the p
- CVE-2023-35930Jun 26, 2023affected >= 1.22.0, < 1.22.2fixed 1.22.2
SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions. Any user making a negative authorization decision based on the results of a `LookupResources` request with 1.22.0 is affected. For example, us
- CVE-2023-29193Apr 14, 2023affected < 1.19.1fixed 1.19.1
SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions. The `spicedb serve` command contains a flag named `--grpc-preshared-key` which is used to protect the gRPC API from being accessed by unauthor
- CVE-2022-21646Jan 11, 2022affected >= 1.3.0, < 1.4.0fixed 1.4.0
SpiceDB is a database system for managing security-critical application permissions. Any user making use of a wildcard relationship under the right hand branch of an `exclusion` or within an `intersection` operation will see `Lookup`/`LookupResources` return a resource as "access