SpiceDB Exclusion Operator Authorization Schema WriteRelationships Call Failure Vulnerability

A vulnerability exists in SpiceDB versions prior to 1.45.2, where users employing the exclusion operator in their authorization schema may encounter issues. If the server is configured with '--write-relationships-max-updates-per-call' set above 6500, and a WriteRelationships call is made with a payload large enough to exceed datastore limits, the server will incorrectly respond as if the call was successful. This miscommunication can lead to erroneous permission check results, particularly if the excluded relationships were needed for resolving related permissions.

Impact

This vulnerability can cause WriteRelationships calls to fail without indication, while still returning a successful response. Additionally, it can lead to incorrect permission check outcomes when the exclusion-related relationships are read.

Remediation

Users can upgrade to SpiceDB version 1.45.2 or later to address this vulnerability. Alternatively, the '--write-relationships-max-updates-per-call' option can be set to 1000 as a temporary workaround.