SpiceDB Multi-Branch Caveat Permission Check Error Vulnerability

A vulnerability exists in SpiceDB versions prior to 1.44.2, specifically in schemas that use arrows with caveats on the arrowed relation. When a CheckPermission request requires evaluating multiple caveated branches, the response may incorrectly indicate a lack of permission when, in fact, permission should be granted. This issue arises from the way caveats are processed in relation schemas, particularly those involving hierarchical relationships and permissions.

Impact

This vulnerability can lead to incorrect permission evaluations, causing the system to deny access when it should be granted. This miscalculation can disrupt workflows and access controls that rely on accurate permission assessments.

Reproduction

To reproduce this vulnerability, create a schema that includes definitions for 'user', 'office', 'group', and 'document', with specific relations and permissions that involve caveats. Then, establish relationships that would normally grant permission under the defined rules. When a CheckPermission request is made, the response will incorrectly indicate no permission, despite the schema and relationships supporting it.

Remediation

Users can upgrade to SpiceDB version 1.44.2, where this vulnerability has been patched. Instructions for downloading this version are available on the SpiceDB GitHub releases page.