CVE-2026-46668: CWE-285: Improper Authorization in authzed spicedb
SpiceDB is an open source database system for creating and managing security-critical application permissions. From version 1.15.0 to before version 1.52.0, caveat structures with nested lists can result in improper cache reuse. This issue has been patched in version 1.52.0.
AI Analysis
Technical Summary
SpiceDB versions >=1.15.0 and <1.52.0 contain an improper authorization vulnerability (CWE-285) due to improper cache reuse when handling caveat structures with nested lists. This flaw could lead to incorrect permission evaluations. The issue is resolved in version 1.52.0.
Potential Impact
The vulnerability may cause improper authorization decisions due to cache reuse errors, potentially allowing unauthorized access or permission mismanagement. However, the CVSS score of 2.3 and vector indicate low impact with high attack complexity and limited privileges required. No known exploits in the wild have been reported.
Mitigation Recommendations
Upgrade affected installations of spicedb to version 1.52.0 or later, where this vulnerability has been patched. No other mitigation or temporary fixes are indicated.
CVE-2026-46668: CWE-285: Improper Authorization in authzed spicedb
Description
SpiceDB is an open source database system for creating and managing security-critical application permissions. From version 1.15.0 to before version 1.52.0, caveat structures with nested lists can result in improper cache reuse. This issue has been patched in version 1.52.0.
CVSS v4.0
Score 2.3low
Affected software
pkg:github/authzed/spicedbRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
SpiceDB versions >=1.15.0 and <1.52.0 contain an improper authorization vulnerability (CWE-285) due to improper cache reuse when handling caveat structures with nested lists. This flaw could lead to incorrect permission evaluations. The issue is resolved in version 1.52.0.
Potential Impact
The vulnerability may cause improper authorization decisions due to cache reuse errors, potentially allowing unauthorized access or permission mismanagement. However, the CVSS score of 2.3 and vector indicate low impact with high attack complexity and limited privileges required. No known exploits in the wild have been reported.
Mitigation Recommendations
Upgrade affected installations of spicedb to version 1.52.0 or later, where this vulnerability has been patched. No other mitigation or temporary fixes are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-15T21:46:51.546Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a29d0250e53e73883986cc2
Added to database: 6/10/2026, 8:59:17 PM
Last enriched: 6/10/2026, 9:15:21 PM
Last updated: 6/10/2026, 10:32:47 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.