CVE-2022-21646 is a vulnerability identified in SpiceDB version 1.3.0, a database system designed to manage security-critical application permissions. The flaw arises from improper neutralization of wildcards or matching symbols (CWE-155) combined with improper input validation (CWE-20). Specifically, when a user employs a wildcard relationship on the right-hand branch of an 'exclusion' or within an 'intersection' operation, the system's Lookup and LookupResources functions incorrectly return resources as accessible even if they should be excluded. This occurs because the wildcard is ignored entirely during the lookup dispatch process in version 1.3.0, causing exclusions that rely on wildcards (e.g., a 'banned' wildcard) to be bypassed. Consequently, resources that should be inaccessible due to these exclusion rules are erroneously marked as accessible, potentially granting unauthorized access. The issue was addressed in SpiceDB version 1.4.0, which contains a patch correcting the wildcard handling logic. Until upgrading, the recommended workaround is to avoid using wildcards on the right side of intersections or within exclusions to prevent this bypass. No known exploits have been reported in the wild, but the vulnerability impacts the core permission evaluation mechanism, which is critical for enforcing access controls in applications relying on SpiceDB. This flaw could lead to unauthorized data access or privilege escalation within affected systems.

For European organizations utilizing SpiceDB version 1.3.0 in their permission management infrastructure, this vulnerability poses a risk of unauthorized access to sensitive resources. Since SpiceDB is often integrated into applications managing critical permissions, exploitation could lead to breaches of confidentiality by exposing protected data or unauthorized privilege escalation, undermining the integrity of access controls. The availability impact is limited, as the vulnerability does not cause denial of service but rather incorrect access decisions. Organizations in sectors with stringent data protection requirements—such as finance, healthcare, and government—may face compliance risks if unauthorized access occurs. Moreover, the incorrect permission evaluations could facilitate lateral movement within networks if attackers exploit the wildcard bypass to access restricted resources. Although no active exploitation is currently known, the flaw's presence in a security-critical component necessitates prompt remediation to maintain trust in access control mechanisms and prevent potential data breaches.

European organizations should prioritize upgrading SpiceDB to version 1.4.0 or later, where the wildcard handling issue is fixed. Until an upgrade is feasible, developers and administrators must audit their use of wildcards in permission definitions, specifically avoiding wildcards on the right side of intersections or within exclusions to prevent bypass scenarios. Conduct thorough permission reviews to identify and refactor any rules that rely on such wildcard usage. Implement additional compensating controls such as enhanced logging and monitoring of permission lookup results to detect anomalous access patterns that may indicate exploitation attempts. Where possible, apply strict input validation and limit the use of complex permission expressions involving wildcards. Security teams should also integrate SpiceDB permission checks with broader identity and access management (IAM) policies to enforce defense-in-depth. Finally, maintain awareness of vendor advisories and community updates for any emerging exploit reports or patches.