VDB

CVE-2026-23989

CVE-2026-23989 PUBLISHED CVSS 8.199999809265137 HIGH

REVA is an interoperability platform. Prior to 2.42.3 and 2.40.3, a bug in the GRPC authorization middleware of the "Reva" component of OpenCloud allows a malicious user to bypass the scope verification of a public link. By exploiting this via the the "archiver" service this can be leveraged to create an archive (zip or tar-file) containing all resources that this creator of the public link has access to. This vulnerability is fixed in 2.42.3 and 2.40.3.

EPSS 0.02% · 4.5th percentile

Risk Scores

CVSS v3.1
8.199999809265137
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS Score
0.02%
4.5th percentile

Affected Products

VendorProductVersions
heinleinopencloud_reva2.41.0, 0, 2.41.0
github.comopencloud-eu/reva/v22.41.0, 0, 2.41.0
opencloud-eureva*, >= 2.41.0, < 2.42.3, < 2.40.3

Timeline

  • Feb 5, 2026 CVE Published
  • Feb 6, 2026 CVE Updated
  • Feb 6, 2026 PoC Published
  • Feb 6, 2026 PoC Published
  • Feb 7, 2026 EPSS Score
  • Feb 9, 2026 EPSS Score
  • Feb 10, 2026 Security Advisory
  • Feb 11, 2026 EPSS Score
  • Feb 13, 2026 EPSS Score
  • Feb 15, 2026 EPSS Score
  • Feb 18, 2026 EPSS Score
  • Feb 20, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›