GHSA-vhvq-fv9f-wh4q: LookupResources Cursor section tampering can crash SpiceDB process via tuple.MustParse panic

February 6, 2026

A malformed or tampered-with LookupResources Cursor token can cause a panic in the SpiceDB process if it fails to parse. If an attacker were able to make requests to a SpiceDB instance, they could affect its availability.

References

github.com/advisories/GHSA-vhvq-fv9f-wh4q
github.com/authzed/spicedb
github.com/authzed/spicedb/commit/fa1d7f48107e0c6c35e6a7862aa983366e70208f
github.com/authzed/spicedb/pull/2878
github.com/authzed/spicedb/security/advisories/GHSA-vhvq-fv9f-wh4q

Code Behaviors & Features

Detect and mitigate GHSA-vhvq-fv9f-wh4q with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →