CVE-2026-23989HIGH 8.1EPSS p18.9%

CVE-2026-23989CVE-2026-23989

Description

REVA is an interoperability platform. Prior to 2.42.3 and 2.40.3, a bug in the GRPC authorization middleware of the "Reva" component of OpenCloud allows a malicious user to bypass the scope verification of a public link. By exploiting this via the the "archiver" service this can be leveraged to create an archive (zip or tar-file) containing all resources that this creator of the public link has access to. This vulnerability is fixed in 2.42.3 and 2.40.3.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS0.27% probability of exploitation · percentile 18.9% · 2026-06-18T12:00:27Z
Published2026-02-06
Last modified2026-02-24

Underlying weaknesses· 1

CWE-863

References

  1. https://github.com/opencloud-eu/reva/commit/95aa2bc5d980eaf6cc134d75782b4f5ac7b36ae1
  2. https://github.com/opencloud-eu/reva/security/advisories/GHSA-9j2f-3rj3-wgpg

1

TypeTargetConfidenceTier
WeaknessIncorrect Authorizationcwe-8630%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-32589
CVE
CVE-2026-53470
CVE
CVE-2026-23899
CVE
CVE-2026-2460
CVE
CVE-2026-41283
CVE
CVE-2025-29315
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.