PatchSiren cyber security CVE debrief
CVE-2026-46668 authzed CVE debrief
CVE-2026-46668 is a low-severity vulnerability in SpiceDB, an open-source database system, affecting versions from 1.15.0 to before 1.52.0. The issue involves improper cache reuse with caveat structures containing nested lists. This vulnerability was patched in version 1.52.0. The CVSS score for this vulnerability is 2.3, indicating a low severity.
- Vendor
- authzed
- Product
- spicedb
- CVSS
- LOW 2.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-11
Who should care
Users of SpiceDB, especially those using versions between 1.15.0 and 1.52.0, should be aware of this vulnerability and consider upgrading to version 1.52.0 or later to mitigate the issue.
Technical summary
The vulnerability in SpiceDB arises from improper cache reuse when dealing with caveat structures that contain nested lists. This issue was addressed in version 1.52.0.
Defensive priority
Low
Recommended defensive actions
- Upgrade to SpiceDB version 1.52.0 or later to patch the vulnerability.
Evidence notes
The CVE-2026-46668 vulnerability was published on [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-46668) and detailed further on [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-46668). Additional information can be found in the source references [ref-4](https://github.com/authzed/spicedb/pull/3065), [ref-5](https://github.com/authzed/spicedb/releases/tag/v1.52.0), and [ref-6](https://github.com/authzed/spicedb/security/advisories/GHSA-mqcf-gqvg-rmhm).
Official resources
CVE-2026-46668 was published on 2026-06-10T22:16:59.893Z and modified on 2026-06-11T15:35:45.203Z.