CVE-2026-23989 - Vulnerability Details

Description

REVA is an interoperability platform. Prior to 2.42.3 and 2.40.3, a bug in the GRPC authorization middleware of the "Reva" component of OpenCloud allows a malicious user to bypass the scope verification of a public link. By exploiting this via the the "archiver" service this can be leveraged to create an archive (zip or tar-file) containing all resources that this creator of the public link has access to. This vulnerability is fixed in 2.42.3 and 2.40.3.

Published: 2026-02-06

Score: 8.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A fault in the GRPC authorization middleware of the Reva component lets a malicious user skip the scope check that protects public links. By targeting the archiver service, an attacker can generate a zip or tar file that contains every file and resource the public link creator can access. This grants the attacker unrestricted read access to the link owner's data, allowing wide‑scale data exfiltration and exposure of confidential material.

Affected Systems

The flaw affects the Reva interoperability platform from OpenCloud EU. Any deployment of Reva versions older than 2.42.3 or 2.40.3 that exposes public link functionality is vulnerable.

Risk and Exploitability

The CVSS score of 8.2 signals a high severity, while the EPSS score of less than 1% indicates a very low current likelihood of exploitation. The vulnerability is not reported in the CISA KEV catalog, suggesting no known active exploitation. Exploit requires only an attacker to supply a valid public link ID to the archiver service; no elevated privileges are needed. Once triggered, the attacker can repeatedly request archives to harvest all data linked to the public link creator.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

opencloud-eu

reva

affected

Version	Status	Constraints
`< 2.40.3`	affected	—
`>= 2.41.0, < 2.42.3`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:heinlein:opencloud_reva::::::::
	cpe:2.3:a:heinlein:opencloud_reva::::::::

No data.

Vendor	Product	Confidence	Versions
Opencloud-eu	Reva	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Reva to version 2.42.3 or 2.40.3 (or later) to apply the fixed authorization check in the GRPC middleware.
If public link sharing is not essential, disable it to eliminate the attack surface.
Monitor archive creation logs for unusual activity and ensure that only authorized users and services can invoke the archiver function.

Generated by OpenCVE AI on April 17, 2026 at 22:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-9j2f-3rj3-wgpg	OpenCloud Reva has a Public Link Exploit

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/opencloud-eu/reva/commit/95aa2bc5d980eaf6cc134d75782b4f5ac7b36ae1
https://github.com/opencloud-eu/reva/security/advisories/GHSA-9j2f-3rj3-wgpg

History

Tue, 24 Feb 2026 21:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Heinlein Heinlein opencloud Reva
CPEs		cpe:2.3:a:heinlein:opencloud_reva::::::::
Vendors & Products		Heinlein Heinlein opencloud Reva

Mon, 09 Feb 2026 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Opencloud-eu Opencloud-eu reva
Vendors & Products		Opencloud-eu Opencloud-eu reva

Fri, 06 Feb 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 06 Feb 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		REVA is an interoperability platform. Prior to 2.42.3 and 2.40.3, a bug in the GRPC authorization middleware of the "Reva" component of OpenCloud allows a malicious user to bypass the scope verification of a public link. By exploiting this via the the "archiver" service this can be leveraged to create an archive (zip or tar-file) containing all resources that this creator of the public link has access to. This vulnerability is fixed in 2.42.3 and 2.40.3.
Title		REVA Public Link Exploit
Weaknesses		CWE-863
References		https://github.com/opencloud-eu/reva/commit/95aa2bc5d980eaf6cc134d75782b4f5ac7b36ae1 https://github.com/opencloud-eu/reva/security/advisories/GHSA-9j2f-3rj3-wgpg
Metrics		cvssV3_1 `{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}`

Subscriptions

Heinlein Opencloud Reva

Opencloud-eu Reva

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-06T18:28:25.075Z

Updated: 2026-02-06T18:52:19.409Z

Reserved: 2026-01-19T18:49:20.657Z

Link: CVE-2026-23989

Vulnrichment

Updated: 2026-02-06T18:52:10.574Z

NVD

Status : Analyzed

Published: 2026-02-06T19:16:08.470

Modified: 2026-02-24T20:57:55.337

Link: CVE-2026-23989

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T22:45:29Z

Weaknesses

CWE-863

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object