cvedb.io
CVE-2022-21646
HIGH · CVSS 8.1
EPSS exploitation probability: 0%
Published 2022-01-11T22:15:07.727 · Last modified 2026-06-17T04:26:40.590

Summary

SpiceDB is a database system for managing security-critical application permissions. Any user making use of a wildcard relationship under the right hand branch of an `exclusion` or within an `intersection` operation will see `Lookup`/`LookupResources` return a resource as "accessible" if it is *not* accessible by virtue of the inclusion of the wildcard in the intersection or the right side of the exclusion. In `v1.3.0`, the wildcard is ignored entirely in lookup's dispatch, resulting in the `banned` wildcard being ignored in the exclusion. Version 1.4.0 contains a patch for this issue. As a workaround, don't make use of wildcards on the right side of intersections or within exclusions.

Affected products

authzed — spicedb

Does this affect you?

Add your gear to cvedb and we'll alert you only when authzed ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.