Authorization Data Handling Vulnerability in SpiceDB by Authzed
CVE-2025-49011

3.7LOW

Key Information:

Vendor

Authzed

Status
Spicedb
Vendor
CVE Published:
6 June 2025

What is CVE-2025-49011?

SpiceDB, an open-source database for fine-grained authorization management, was found to have an issue affecting how CheckPermission requests were handled. Before the release of version 1.44.2, schemas utilizing arrows with caveats could lead to incorrect negative responses during permission checks, causing potential access control issues. Users are advised to update to version 1.44.2 to resolve this flaw or, as a temporary workaround, refrain from using caveats on arrow’ed relations within their schemas.

Affected Version(s)

spicedb < 1.44.2

References

https://github.com/authzed/spicedb/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/authzed/spicedb/commit/fe8dd9f491f6975...
x_refsource_MISC
https://github.com/authzed/spicedb/releases/tag/v1.44.2
x_refsource_MISC

CVSS V3.1

Score:
3.7
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-49011 : Authorization Data Handling Vulnerability in SpiceDB by Authzed