Description

SpiceDB is an open source database for storing and querying fine-grained authorization data. Prior to version 1.44.2, on schemas involving arrows with caveats on the arrow’ed relation, when the path to resolve a CheckPermission request involves the evaluation of multiple caveated branches, requests may return a negative response when a positive response is expected. Version 1.44.2 fixes the issue. As a workaround, do not use caveats in the schema over an arrow’ed relation.

INFO

Published Date :

2025-06-06T17:36:21.747Z

Last Modified :

2025-06-06T21:33:23.317Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-49011 vulnerability.

Vendors Products
Authzed
  • Spicedb
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-49011.

URL Resource
https://github.com/authzed/spicedb/commit/fe8dd9f491f6975b3408c401e413a530eb181a67 cve-icon cve-icon
https://github.com/authzed/spicedb/releases/tag/v1.44.2 cve-icon cve-icon
https://github.com/authzed/spicedb/security/advisories/GHSA-cwwm-hr97-qfxm cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact