CVE-2026-46668
LOWSpiceDB: Caveat structures with nested lists can result in improper cache reuse
Title source: cnaDescription
SpiceDB is an open source database system for creating and managing security-critical application permissions. From version 1.15.0 to before version 1.52.0, caveat structures with nested lists can result in improper cache reuse. This issue has been patched in version 1.52.0.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/authzed/spicedb/security/advisories/GHSA-mqcf-gqvg-rmhm
X_Refsource_Misc x_refsource_misc
https://github.com/authzed/spicedb/pull/3065
X_Refsource_Misc x_refsource_misc
https://github.com/authzed/spicedb/releases/tag/v1.52.0
Scores
CVSS v4
2.3
EPSS
0.0028
EPSS Percentile
19.2%
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-285
Status
published
Products (2)
authzed/spicedb
1.15.0 - 1.52.0Go
authzed/spicedb
>= 1.15.0, < 1.52.0
Published
Jun 10, 2026
Tracked Since
Jun 11, 2026