Skip to main content

Dataspace Portal CVE-2026-42160

| EUVDEUVD-2026-28817 CRITICAL
Client-Side Enforcement of Server-Side Security (CWE-602)
2026-05-08 GitHub_M
10.0
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
10.0 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Patch available
May 08, 2026 - 21:03 EUVD
Source Code Evidence Fetched
May 08, 2026 - 20:33 vuln.today
Analysis Generated
May 08, 2026 - 20:33 vuln.today
CVSS changed
May 08, 2026 - 20:22 NVD
10.0 (CRITICAL)
CVE Published
May 08, 2026 - 19:46 nvd
CRITICAL 10.0

DescriptionGitHub Advisory

Data Space Portal is an open-source Software as a Service (SaaS) solution designed to streamline Dataspace management. From version 2.1.1 to before version 7.3.2, there is insufficient authorization in the dataspace-portal backend regarding self-registered "PENDING" organization / user accounts. This issue has been patched in version 7.3.2.

AnalysisAI

Unauthorized API access in sovity Dataspace Portal versions 2.1.1 through 7.3.1 allows unauthenticated remote attackers to bypass authorization controls and access backend APIs using credentials from self-registered accounts in PENDING status. The vulnerability affects the open-source SaaS platform before organizations approve new user registrations, enabling information disclosure and potential data manipulation. Vendor-confirmed patch released in version 7.3.2 on 2026-04-20. CVSS 10.0 reflects network-accessible attack with no complexity, no privileges required, and high impact across confidentiality, integrity, and availability in both vulnerable and subsequent systems. No CISA KEV listing or public exploit identified at time of analysis.

Technical ContextAI

The vulnerability stems from CWE-602 (Client-Side Enforcement of Server-Side Security), where the Dataspace Portal backend fails to enforce proper authorization checks on API endpoints for users in PENDING registration state. In typical SaaS onboarding workflows, self-registered accounts should remain inactive until organization administrators approve them. The affected backend (CPE: cpe:2.3:a:sovity:dataspace-portal) incorrectly grants API access to these unapproved accounts, violating the principle that server-side authorization must validate both authentication state AND approval status. The CVSS 4.0 vector shows network accessibility (AV:N), low attack complexity (AC:L), no attack requirements (AT:N), no privileges needed (PR:N), and no user interaction (UI:N), indicating the backend APIs accept requests from PENDING accounts without validating organizational approval workflows. The subsequent system impact scores (SC:H/SI:H/SA:L) suggest the vulnerability enables lateral movement or access to data beyond the immediate vulnerable service, typical of dataspace management platforms that broker access to multiple participating organizations' resources.

RemediationAI

Upgrade immediately to Dataspace Portal version 7.3.2 or later, released 2026-04-20. Deploy patched Docker images: ghcr.io/sovity/ds-portal-ce-backend:7.3.2 (backend) and ghcr.io/sovity/ds-portal-ce-frontend:7.3.2 (frontend). Vendor release notes confirm no special migration steps required, enabling rapid deployment. Compatible component versions: Catalog Crawler CE 7.3.2, sovity EDC CE v16.5.0, Keycloak 26.4.7, PostgreSQL 17. If immediate patching is infeasible, implement emergency compensating controls: (1) disable self-registration functionality via Keycloak realm settings until patched, trading user onboarding convenience for security; (2) audit all PENDING accounts created since deployment of vulnerable versions (2.1.1+) and review API access logs for unauthorized activity patterns; (3) if disabling registration is unacceptable, manually approve PENDING accounts within minutes of creation to minimize exposure window, though this does not eliminate the vulnerability. Firewall rules restricting backend API access to approved IP ranges reduce attack surface but do not prevent abuse by adversaries who self-register from allowed networks. Full security posture restoration requires upgrading to 7.3.2. Advisory: https://github.com/sovity/dataspace-portal/security/advisories/GHSA-989g-wpfv-6vxx. Release: https://github.com/sovity/dataspace-portal/releases/tag/v7.3.2.

Share

CVE-2026-42160 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy