SpiceDB EUVD-2025-17360

| CVE-2025-49011 LOW
Improperly Implemented Security Check for Standard (CWE-358)
2025-06-06 [email protected] GHSA-cwwm-hr97-qfxm
Information Disclosure
3.7
CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Mar 14, 2026 - 18:10 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 18:10 euvd
EUVD-2025-17360
Patch released
Mar 14, 2026 - 18:10 nvd
Patch available
CVE Published
Jun 06, 2025 - 18:15 nvd
LOW 3.7

DescriptionNVD

SpiceDB is an open source database for storing and querying fine-grained authorization data. Prior to version 1.44.2, on schemas involving arrows with caveats on the arrow’ed relation, when the path to resolve a CheckPermission request involves the evaluation of multiple caveated branches, requests may return a negative response when a positive response is expected. Version 1.44.2 fixes the issue. As a workaround, do not use caveats in the schema over an arrow’ed relation.

AnalysisAI

A remote code execution vulnerability in SpiceDB (CVSS 3.7). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Technical ContextAI

Vulnerability type: remote code execution. Affects SpiceDB.

RemediationAI

Apply the vendor-supplied patch immediately.

Share

EUVD-2025-17360 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy