Listen to this Post
How the CVE Works:
This vulnerability occurs in SpiceDB when evaluating caveated permissions across arrow’ed relations. Due to incorrect branch resolution logic, CheckPermission requests may wrongly return `NO_PERMISSION` even when access should be granted. The issue arises when multiple caveated paths exist, and the evaluator fails to aggregate valid permission branches. In the example schema, `user:maria` should get `HAS_PERMISSION` for `document:budgetread` via office:headofficemanager, but the caveat on `group:admins` causes premature termination. The flaw lies in the traversal logic, which doesn’t properly reconcile caveat conditions across indirect relations.
DailyCVE Form:
Platform: SpiceDB
Version: <1.44.2
Vulnerability: Permission bypass
Severity: Critical
Date: 2024-06-07
Prediction: Patch expected by 2024-06-14
What Undercode Say:
Analytics:
- Affects schemas with recursive caveats.
- Exploitable via multi-hop relations.
- False negatives dominate impact.
Exploit Command:
curl -X POST http://spicedb:50051/v1/permissions/check \
-d '{"object": "document:budget", "permission": "read", "subject": "user:maria"}'
Mitigation Code:
Temp workaround: Remove caveats from arrow’ed relations
from spicedb_api import update_schema
update_schema("""
definition document {
relation owner: group Removed caveat
permission read = owner->read
}
""")
Patch Verification:
spicedb version | grep "1.44.2"
Debug Query:
package debug
default has_permission = false
has_permission {
input.permission = "read"
input.object.relation = "owner"
input.subject.id = "maria"
}
Log Monitor:
grep "CheckPermission" /var/log/spicedb.log | grep "NO_PERMISSION"
Schema Audit:
spicedb validate-schema --fail-on-caveats
Network Rule:
location /v1/permissions/check {
deny all; Temporary block if vulnerable
}
Env Var Protection:
export SPICEDB_DISABLE_CAVEATS=true
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
