{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-46668", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-05-15T21:46:51.546Z", "datePublished": "2026-06-10T20:11:44.193Z", "dateUpdated": "2026-06-11T16:15:36.256Z"}, "containers": {"cna": {"title": "SpiceDB: Caveat structures with nested lists can result in improper cache reuse", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 2.3, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/authzed/spicedb/security/advisories/GHSA-mqcf-gqvg-rmhm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/authzed/spicedb/security/advisories/GHSA-mqcf-gqvg-rmhm"}, {"name": "https://github.com/authzed/spicedb/pull/3065", "tags": ["x_refsource_MISC"], "url": "https://github.com/authzed/spicedb/pull/3065"}, {"name": "https://github.com/authzed/spicedb/releases/tag/v1.52.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/authzed/spicedb/releases/tag/v1.52.0"}], "affected": [{"vendor": "authzed", "product": "spicedb", "versions": [{"version": ">= 1.15.0, < 1.52.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-10T20:11:44.193Z"}, "descriptions": [{"lang": "en", "value": "SpiceDB is an open source database system for creating and managing security-critical application permissions. From version 1.15.0 to before version 1.52.0, caveat structures with nested lists can result in improper cache reuse. This issue has been patched in version 1.52.0."}], "source": {"advisory": "GHSA-mqcf-gqvg-rmhm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-11T12:29:29.612397Z", "id": "CVE-2026-46668", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-11T16:15:36.256Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-46668", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-11T12:29:29.612397Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-11T12:29:34.302Z"}}], "cna": {"title": "SpiceDB: Caveat structures with nested lists can result in improper cache reuse", "source": {"advisory": "GHSA-mqcf-gqvg-rmhm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.3, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "authzed", "product": "spicedb", "versions": [{"status": "affected", "version": ">= 1.15.0, < 1.52.0"}]}], "references": [{"url": "https://github.com/authzed/spicedb/security/advisories/GHSA-mqcf-gqvg-rmhm", "name": "https://github.com/authzed/spicedb/security/advisories/GHSA-mqcf-gqvg-rmhm", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/authzed/spicedb/pull/3065", "name": "https://github.com/authzed/spicedb/pull/3065", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/authzed/spicedb/releases/tag/v1.52.0", "name": "https://github.com/authzed/spicedb/releases/tag/v1.52.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "SpiceDB is an open source database system for creating and managing security-critical application permissions. From version 1.15.0 to before version 1.52.0, caveat structures with nested lists can result in improper cache reuse. This issue has been patched in version 1.52.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285: Improper Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-10T20:11:44.193Z"}}}, "cveMetadata": {"cveId": "CVE-2026-46668", "state": "PUBLISHED", "dateUpdated": "2026-06-11T16:15:36.256Z", "dateReserved": "2026-05-15T21:46:51.546Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-06-10T20:11:44.193Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SpiceDB is an open source database system for creating and managing security-critical application permissions. From version 1.15.0 to before version 1.52.0, caveat structures with nested lists can result in improper cache reuse. This issue has been patched in version 1.52.0."}], "id": "CVE-2026-46668", "lastModified": "2026-06-11T15:35:45.203", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-06-10T22:16:59.893", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/authzed/spicedb/pull/3065"}, {"source": "security-advisories@github.com", "url": "https://github.com/authzed/spicedb/releases/tag/v1.52.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/authzed/spicedb/security/advisories/GHSA-mqcf-gqvg-rmhm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "github.com/authzed/spicedb: SpiceDB: Improper cache reuse vulnerability in caveat structures", "id": "2487703", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487703"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-237", "details": ["SpiceDB is an open source database system for creating and managing security-critical application permissions. From version 1.15.0 to before version 1.52.0, caveat structures with nested lists can result in improper cache reuse. This issue has been patched in version 1.52.0.", "A flaw was found in SpiceDB, an open-source database system for managing application permissions. This vulnerability occurs due to improper cache reuse when processing caveat structures that contain nested lists. This could lead to unexpected behavior or a low impact on confidentiality, potentially resulting in minor information disclosure."], "mitigation": {"lang": "en:us", "value": "Avoid using caveat structures with nested lists in SpiceDB permission definitions until the fix (v1.52.0) is applied. Alternatively, update SpiceDB to version 1.52.0 or later."}, "name": "CVE-2026-46668", "public_date": "2026-06-10T20:11:44Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-46668\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-46668\nhttps://github.com/authzed/spicedb/pull/3065\nhttps://github.com/authzed/spicedb/releases/tag/v1.52.0\nhttps://github.com/authzed/spicedb/security/advisories/GHSA-mqcf-gqvg-rmhm"], "statement": "Red Hat ships SpiceDB as a dependency in the Management Platform service (cloud.redhat.com). The vulnerability involves improper cache reuse when processing caveat structures with nested lists, which could lead to minor information disclosure. The affected version range is 1.15.0 to before 1.52.0.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.15.0,1.52.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "spicedb", "source": "cna", "vendor": "authzed"}, "product": "spicedb", "vendor": "authzed"}], "created": "2026-06-10T22:45:27.367370+00:00", "updated": "2026-06-26T02:15:15.785255+00:00", "vendors": ["authzed", "authzed$PRODUCT$spicedb"]}