CVE-2026-23989
HIGH WAF: Low
CVSS 8.1
Published: 2026-02-06
CWE-863
REVA is an interoperability platform. Prior to 2.42.3 and 2.40.3, a bug in the GRPC authorization middleware of the "Reva" component of OpenCloud allows a malicious user to bypass the scope verification of a public link. By exploiting this via the the "archiver" service this can be leveraged to create an archive (zip or tar-file) containing all resources that this creator of the public link has access to. This vulnerability is fixed in 2.42.3 and 2.40.3.
WAF Coverage Analysis
Incorrect Authorization
Low WAF Coverage
OWASP: A01:2021 Broken Access Control
Affected Software
| Vendor | Product | Version |
|---|---|---|
| heinlein | opencloud_reva | up to 2.40.3 |
| heinlein | opencloud_reva | 2.41.0 - 2.42.3 |
References
- github.com (Patch)
- github.com (Vendor Advisory)