Skip to main content

Opencloud Reva CVE-2026-23989

HIGH
Incorrect Authorization (CWE-863)
2026-02-06 security-advisories@github.com GHSA-9j2f-3rj3-wgpg
8.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
SUSE
HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
Patch released
Feb 24, 2026 - 20:57 nvd
Patch available
CVE Published
Feb 06, 2026 - 19:16 nvd
HIGH 8.2

DescriptionGitHub Advisory

REVA is an interoperability platform. Prior to 2.42.3 and 2.40.3, a bug in the GRPC authorization middleware of the "Reva" component of OpenCloud allows a malicious user to bypass the scope verification of a public link. By exploiting this via the the "archiver" service this can be leveraged to create an archive (zip or tar-file) containing all resources that this creator of the public link has access to. This vulnerability is fixed in 2.42.3 and 2.40.3.

AnalysisAI

Unauthenticated attackers can bypass public link scope verification in OpenCloud Reva versions prior to 2.42.3 and 2.40.3 through a flaw in GRPC authorization middleware. By exploiting the archiver service, an attacker can create archives containing all resources accessible to the public link creator, resulting in unauthorized information disclosure. A patch is available in versions 2.42.3 and 2.40.3.

Technical ContextAI

Classified as CWE-863 (Incorrect Authorization). Affects Opencloud Reva. REVA is an interoperability platform. Prior to 2.42.3 and 2.40.3, a bug in the GRPC authorization middleware of the "Reva" component of OpenCloud allows a malicious user to bypass the scope verification of a public link. By exploiting this via the the "archiver" service this can be leveraged to create an archive (zip or tar-file) containing all resources that this creator of the public link has access to. This vulnerability is fixed in 2.42.3 and 2.40.3.

RemediationAI

A vendor patch is available — apply it immediately. Fixed in version 2.42.3. Restrict network access to the affected service where possible.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-23989 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy