Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionGitHub Advisory
Data Space Portal is an open-source Software as a Service (SaaS) solution designed to streamline Dataspace management. From version 2.1.1 to before version 7.3.2, there is insufficient authorization in the dataspace-portal backend regarding self-registered "PENDING" organization / user accounts. This issue has been patched in version 7.3.2.
AnalysisAI
Unauthorized API access in sovity Dataspace Portal versions 2.1.1 through 7.3.1 allows unauthenticated remote attackers to bypass authorization controls and access backend APIs using credentials from self-registered accounts in PENDING status. The vulnerability affects the open-source SaaS platform before organizations approve new user registrations, enabling information disclosure and potential data manipulation. Vendor-confirmed patch released in version 7.3.2 on 2026-04-20. CVSS 10.0 reflects network-accessible attack with no complexity, no privileges required, and high impact across confidentiality, integrity, and availability in both vulnerable and subsequent systems. No CISA KEV listing or public exploit identified at time of analysis.
Technical ContextAI
The vulnerability stems from CWE-602 (Client-Side Enforcement of Server-Side Security), where the Dataspace Portal backend fails to enforce proper authorization checks on API endpoints for users in PENDING registration state. In typical SaaS onboarding workflows, self-registered accounts should remain inactive until organization administrators approve them. The affected backend (CPE: cpe:2.3:a:sovity:dataspace-portal) incorrectly grants API access to these unapproved accounts, violating the principle that server-side authorization must validate both authentication state AND approval status. The CVSS 4.0 vector shows network accessibility (AV:N), low attack complexity (AC:L), no attack requirements (AT:N), no privileges needed (PR:N), and no user interaction (UI:N), indicating the backend APIs accept requests from PENDING accounts without validating organizational approval workflows. The subsequent system impact scores (SC:H/SI:H/SA:L) suggest the vulnerability enables lateral movement or access to data beyond the immediate vulnerable service, typical of dataspace management platforms that broker access to multiple participating organizations' resources.
RemediationAI
Upgrade immediately to Dataspace Portal version 7.3.2 or later, released 2026-04-20. Deploy patched Docker images: ghcr.io/sovity/ds-portal-ce-backend:7.3.2 (backend) and ghcr.io/sovity/ds-portal-ce-frontend:7.3.2 (frontend). Vendor release notes confirm no special migration steps required, enabling rapid deployment. Compatible component versions: Catalog Crawler CE 7.3.2, sovity EDC CE v16.5.0, Keycloak 26.4.7, PostgreSQL 17. If immediate patching is infeasible, implement emergency compensating controls: (1) disable self-registration functionality via Keycloak realm settings until patched, trading user onboarding convenience for security; (2) audit all PENDING accounts created since deployment of vulnerable versions (2.1.1+) and review API access logs for unauthorized activity patterns; (3) if disabling registration is unacceptable, manually approve PENDING accounts within minutes of creation to minimize exposure window, though this does not eliminate the vulnerability. Firewall rules restricting backend API access to approved IP ranges reduce attack surface but do not prevent abuse by adversaries who self-register from allowed networks. Full security posture restoration requires upgrading to 7.3.2. Advisory: https://github.com/sovity/dataspace-portal/security/advisories/GHSA-989g-wpfv-6vxx. Release: https://github.com/sovity/dataspace-portal/releases/tag/v7.3.2.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28817