Dataspace Portal
Monthly
Unauthorized API access in sovity Dataspace Portal versions 2.1.1 through 7.3.1 allows unauthenticated remote attackers to bypass authorization controls and access backend APIs using credentials from self-registered accounts in PENDING status. The vulnerability affects the open-source SaaS platform before organizations approve new user registrations, enabling information disclosure and potential data manipulation. Vendor-confirmed patch released in version 7.3.2 on 2026-04-20. CVSS 10.0 reflects network-accessible attack with no complexity, no privileges required, and high impact across confidentiality, integrity, and availability in both vulnerable and subsequent systems. No CISA KEV listing or public exploit identified at time of analysis.
Unauthorized API access in sovity Dataspace Portal versions 2.1.1 through 7.3.1 allows unauthenticated remote attackers to bypass authorization controls and access backend APIs using credentials from self-registered accounts in PENDING status. The vulnerability affects the open-source SaaS platform before organizations approve new user registrations, enabling information disclosure and potential data manipulation. Vendor-confirmed patch released in version 7.3.2 on 2026-04-20. CVSS 10.0 reflects network-accessible attack with no complexity, no privileges required, and high impact across confidentiality, integrity, and availability in both vulnerable and subsequent systems. No CISA KEV listing or public exploit identified at time of analysis.