CVE-2026-46668 Overview
CVE-2026-46668 affects SpiceDB, an open source database system for managing security-critical application permissions. The vulnerability impacts versions 1.15.0 through versions prior to 1.52.0. Caveat structures containing nested lists can trigger improper cache reuse, which may lead to incorrect permission decisions under specific conditions. The issue is classified under [CWE-285] Improper Authorization. The maintainers patched the flaw in SpiceDB version 1.52.0.
Critical Impact
Improper cache reuse in caveat structures may cause SpiceDB to return permission decisions that do not reflect the intended authorization logic when nested list values are evaluated.
Affected Products
- SpiceDB versions 1.15.0 through 1.51.x (authzed/spicedb)
- Applications relying on SpiceDB caveats with nested list parameters
- Deployments that have not upgraded to SpiceDB 1.52.0
Discovery Timeline
- 2026-06-10 - CVE-2026-46668 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-46668
Vulnerability Analysis
SpiceDB evaluates permissions using a schema that supports caveats, which are conditional expressions attached to relationships. Caveats accept structured parameters, including nested lists, that influence access decisions at check time.
The vulnerability stems from improper handling of cache keys when caveat structures contain nested lists. SpiceDB reuses cached evaluation results across requests, but the cache key derivation does not adequately distinguish requests whose nested list parameters differ in semantically relevant ways. As a result, the system can return a cached authorization decision that does not match the actual input.
This is an authorization correctness issue rather than a memory safety flaw. Successful exploitation requires an attacker to hold valid low-privilege access to the SpiceDB API and to craft caveat inputs that collide with previously cached entries. The scope of impact is confined to the confidentiality of permission decisions evaluated through affected caveats.
Root Cause
The root cause is improper cache reuse in the caveat evaluation path. Nested list values within caveat context are not represented uniquely in the cache lookup, so distinct inputs share a cache entry. The fix in version 1.52.0 corrects how nested list structures contribute to cache identity. Details are available in the SpiceDB GitHub Pull Request #3065.
Attack Vector
An authenticated client submits permission check requests over the network using caveats whose context contains nested lists. By varying nested list values across requests, the client can encounter cache collisions and receive authorization decisions intended for different input. The attack complexity is high because exploitation depends on schema design, caveat usage, and cache state. Refer to the SpiceDB Security Advisory GHSA-mqcf-gqvg-rmhm for vendor analysis.
Detection Methods for CVE-2026-46668
Indicators of Compromise
- SpiceDB server binaries reporting versions between 1.15.0 and 1.51.x via the /debug or version endpoints
- Permission check responses that diverge from expected results when caveat context includes nested list values
- Anomalous patterns of CheckPermission requests carrying repeated caveat context structures with small variations in list elements
Detection Strategies
- Inventory SpiceDB deployments and compare running versions against 1.52.0 using container image tags, Helm chart values, or spicedb version output
- Review SpiceDB schemas for caveats that accept list or nested list parameters and identify services calling those caveats
- Add integration tests that exercise caveat evaluation with varied nested list inputs and compare results against an authoritative policy baseline
Monitoring Recommendations
- Forward SpiceDB audit and API logs to a centralized logging or SIEM platform and alert on unexpected permission grant patterns
- Track cache hit and miss metrics exposed by SpiceDB to identify abnormal hit ratios on caveat-bearing checks
- Monitor application-layer authorization decisions for inconsistency between SpiceDB responses and downstream policy enforcement
How to Mitigate CVE-2026-46668
Immediate Actions Required
- Upgrade all SpiceDB instances to version 1.52.0 or later as published in the SpiceDB v1.52.0 Release
- Audit caveat definitions and identify any that accept list or nested list parameters for prioritized review
- Restrict SpiceDB API access to trusted clients using mutual TLS and pre-shared keys until patching is complete
Patch Information
The maintainers fixed CVE-2026-46668 in SpiceDB 1.52.0. The fix corrects cache key derivation for caveat structures that include nested lists so that distinct inputs no longer share cached evaluation results. Operators should pull the updated container image authzed/spicedb:v1.52.0 or upgrade through their package or chart of choice and restart all SpiceDB nodes.
Workarounds
- Disable or refactor caveats that rely on nested list parameters until the upgrade is applied
- Flush the SpiceDB cache or run with caching disabled where supported to avoid serving stale evaluation results
- Add downstream policy checks in calling services to validate sensitive authorization decisions independently of SpiceDB cache state
# Configuration example: upgrade SpiceDB container to the patched release
docker pull authzed/spicedb:v1.52.0
docker stop spicedb && docker rm spicedb
docker run -d --name spicedb \
-p 50051:50051 \
-e SPICEDB_GRPC_PRESHARED_KEY="$PRESHARED_KEY" \
authzed/spicedb:v1.52.0 serve
# Verify the running version
docker exec spicedb spicedb version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

