Description
Data Space Portal is an open-source Software as a Service (SaaS) solution designed to streamline Dataspace management. From version 2.1.1 to before version 7.3.2, there is insufficient authorization in the dataspace-portal backend regarding self-registered "PENDING" organization / user accounts. This issue has been patched in version 7.3.2.
Published: 2026-05-08
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from insufficient authorization checks in the Data Space Portal backend for self‑registered "PENDING" organization or user accounts between versions 2.1.1 and before 7.3.2. An attacker can create or exploit these pending accounts to gain access to protected endpoints, potentially retrieving or manipulating sensitive data. The lack of proper role validation enables an attacker to bypass authorization controls and may lead to broader system compromise.

Affected Systems

The affected product is the sovity dataspace‑portal. All instances running any version from 2.1.1 up to, but not including, 7.3.2 are vulnerable. Users of earlier releases are not affected.

Risk and Exploitability

The CVSS score of 10 indicates a critical severity. The EPSS score is not available, but the vulnerability is not yet listed in the CISA KEV catalog. The likely attack vector is remote, through the public API or self‑registration interface, and does not require prior authentication. Given the absence of mitigation and the critical score, the risk is high and exploitation is feasible for an attacker willing to create a pending account.

Generated by OpenCVE AI on May 8, 2026 at 21:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Data Space Portal to version 7.3.2 or later to include the authorization fix.
  • If an immediate upgrade is not possible, disable public self‑registration or enforce strict role checks for pending accounts in the backend until the patch is applied.
  • Enable comprehensive logging and monitoring of pending account activity to detect and respond to unauthorized access attempts.

Generated by OpenCVE AI on May 8, 2026 at 21:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description Data Space Portal is an open-source Software as a Service (SaaS) solution designed to streamline Dataspace management. From version 2.1.1 to before version 7.3.2, there is insufficient authorization in the dataspace-portal backend regarding self-registered "PENDING" organization / user accounts. This issue has been patched in version 7.3.2.
Title Data Space Portal: Incorrect Authorization and Client-Side Enforcement of Server-Side Security in ghcr.io/sovity/ds-portal-ce-backend
Weaknesses CWE-602
CWE-863
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T19:46:59.825Z

Reserved: 2026-04-24T17:15:21.836Z

Link: CVE-2026-42160

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T20:16:30.743

Modified: 2026-05-08T20:16:30.743

Link: CVE-2026-42160

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T21:30:05Z

Weaknesses