CVE-2026-46668
Deferred Deferred - Pending Action

Improper Cache Reuse in SpiceDB Due to Nested List Caveats

Vulnerability report for CVE-2026-46668, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description

SpiceDB is an open source database system for creating and managing security-critical application permissions. From version 1.15.0 to before version 1.52.0, caveat structures with nested lists can result in improper cache reuse. This issue has been patched in version 1.52.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-07-01
AI Q&A
2026-06-11
EPSS Evaluated
2026-06-30
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
spicedb spicedb From 1.15.0 (inc) to 1.52.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in SpiceDB, an open source database system used for managing security-critical application permissions. Specifically, in versions from 1.15.0 up to but not including 1.52.0, caveat structures that contain nested lists can cause improper cache reuse. This means that the system may incorrectly reuse cached data when processing these nested caveat structures, potentially leading to incorrect permission evaluations or security decisions. The issue has been fixed in version 1.52.0.

Impact Analysis

The improper cache reuse caused by this vulnerability can lead to incorrect permission checks within applications relying on SpiceDB. This may result in unauthorized access being granted or legitimate access being denied, potentially compromising the security of the application and its data.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade SpiceDB to version 1.52.0 or later, where the issue with improper cache reuse in caveat structures with nested lists has been patched.

Compliance Impact

The vulnerability in SpiceDB involves improper cache reuse due to caveat structures with nested lists, which can lead to incorrect authorization decisions and potentially grant unauthorized access to resources.

Such authorization errors could impact compliance with standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data.

However, the provided information does not explicitly discuss or analyze the direct impact of this vulnerability on compliance with these or other common standards and regulations.

Detection Guidance

This vulnerability involves improper cache reuse caused by caveat structures with nested lists in SpiceDB versions from 1.15.0 to before 1.52.0. Detection involves identifying if your system is running a vulnerable version of SpiceDB and if it uses features like CheckBulkPermission or the experimental LookupResources version 3 (lr3).

Since the issue relates to specific caveat structures causing cache hash collisions, detection can be approached by checking the version of SpiceDB deployed and reviewing usage of nested lists in caveat declarations.

No explicit detection commands are provided in the available resources. However, general steps include:

  • Check the SpiceDB version to confirm if it is between 1.15.0 and before 1.52.0.
  • Audit your caveat declarations for nested list structures that could trigger the vulnerability.
  • If using the experimental LookupResources version 3 (lr3), consider disabling it as a workaround.

For version checking, you can run a command like:

  • `spicedb version`

For auditing caveat declarations or requests, you would need to review your application code or logs where caveat contexts are defined or used, as no direct network detection commands are specified.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46668. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart