CRE-2025-0078

SpiceDB Database Schema Failures: Missing Core TablesHigh

Impact: 10/10

Mitigation: 2/10

CRE-2025-0078View on GitHub

SpiceDBMigration FailureSchema ErrorPostgreSQL

Description

Detects critical SpiceDB database schema failures caused by missing core tables like

`metadata`, `alembic_version`, or `relation_tuple_transaction`. These errors often stem

from incomplete migrations, startup race conditions, or schema corruption, resulting in

a complete breakdown of SpiceDB authorization capabilities.

Cause

• Migrations not executed or incomplete
• Alembic not initialized or failed
• Startup before DB schema readiness
• Schema corruption or manual table drop
• Permission errors during migration
• Race condition in container startup
• Concurrent conflicting migrations

Mitigation

IMMEDIATE ACTIONS:

• Stop the SpiceDB service immediately to prevent further inconsistent behavior.
• Check PostgreSQL connectivity and schema integrity.
• Run: `psql -U postgres -d spicedb -c "\\dt"` to inspect existing tables.
• If tables are missing, initialize and apply migrations:

`spicedb migrate init && spicedb migrate head`

References

• https://docs.authzed.com/spicedb/concepts/datastore-migrations
• https://github.com/authzed/spicedb/issues?q=relation+does+not+exist
• https://alembic.sqlalchemy.org
• https://github.com/authzed/spicedb/issues/1712