Security

Report a vulnerability

SECURITY.md

Security Policy

All AuthZed products operate under a security embargo program. This means that vulnerabilities are privately reported, analyzed for applicability, notice is given, and a resolution is created and distributed. The issue is only made public once those affected in the embargo program have enough time to address the issue or have accepted the risks.

If you discover a vulnerability, avoid posting it publicly. Please report it by sending an email to security@authzed.com. For more details on how to report, see https://authzed.com/docs/authzed/concepts/security-embargo

Checks involving relations with caveats can result in no permission when permission is expected
GHSA-cwwm-hr97-qfxm published Jun 5, 2025 by miparnisari

Low
Calls to LookupResources using LookupResources2 with caveats may return context is missing when it is not
GHSA-3c32-4hq9-6wgj published Oct 14, 2024 by vroldanbet

Low
Multiple caveats on resources of the same type can result in no permission when permission is expected
GHSA-jhg6-6qrx-38mr published Sep 18, 2024 by josephschorr

Low
Exclusions under arrows with multiple resources can result in no permission returned when permission expected
GHSA-grjv-gjgr-66g2 published Jun 20, 2024 by josephschorr

Low
LookupSubjects may return partial results if a specific kind of relation is used
GHSA-j85q-46hg-36p2 published Apr 10, 2024 by ecordell

Low
Integer overflow causes dispatching to miss elements or panic
GHSA-h3m7-rqc4-7h9p published Mar 1, 2024 by jzelinskie

High
`SPICEDB_DATASTORE_CONN_URI` is leaked when URI cannot be parsed
GHSA-jg7w-cxjv-98c2 published Oct 30, 2023 by josephschorr

Moderate
LookupResources may return partial results in v1.22.0
GHSA-m54h-5x5f-5m6r published Jun 26, 2023 by ecordell

Low
Binding metrics port to untrusted networks can leak command-line flags
GHSA-cjr9-mr35-7xh6 published Apr 13, 2023 by jzelinskie

High
Lookup operations do not take into account wildcards in intersections or exclusions
GHSA-7p8f-8hjm-wm92 published Jan 11, 2022 by josephschorr

High

Learn more about advisories related to authzed/spicedb in the GitHub Advisory Database