GHSA-9J2F-3RJ3-WGPG

Vulnerability from github – Published: 2026-02-05 20:32 – Updated: 2026-02-06 21:42
VLAI?
Summary
OpenCloud Reva has a Public Link Exploit
Details

Impact

A security issue was discovered in Reva based products that enables a malicious user to bypass the scope validation of a public link, allowing it to access resources outside the scope of a public link.

Details

Public link shares in OpenCloud are bound to a specific scope (usually a file or directory). Anonymous users accessing resources via this public link share are only allowed to access the share resource itself and, in case of a directory or space root, all child resources of it.

Due to a bug in the GRPC authorization middleware of the "Reva" component of OpenCloud a malicious user is able to bypass the scope verification. By exploiting this via the the "archiver" service this can be leveraged to create an archive (zip or tar-file) containing all resources that this creator of the public link has access to.

It is not possible to bypass the public link scope via "normal" WebDAV requests so it is not possible to exploit this vulnerability via WebDAV.

Patches

Update to OpenCloud Reva version >= 2.40.3 for the 2.40.x versions.\ Update to OpenCloud Reva version >= 2.42.3 for the 2.41.x versions

Workarounds

There is no workaround because one cannot run Reva standalone from this project. Please check the OpenCloud Advisory how to mitigate the problem in an OpenCloud deployment via configuration.

For more information

If there are any questions or comments about this advisory:

Severity ?
8.2 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.40.1"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/opencloud-eu/reva/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.40.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/opencloud-eu/reva/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.41.0"
            },
            {
              "fixed": "2.42.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-23989"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-05T20:32:53Z",
    "nvd_published_at": "2026-02-06T19:16:08Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nA security issue was discovered in Reva based products that enables a malicious user to bypass the scope validation of a public link, allowing it to access resources outside the scope of a public link.\n\n### Details\n\nPublic link shares in OpenCloud are bound to a specific scope (usually a file or directory). Anonymous users accessing resources via this public link share are only allowed to access the share resource itself and, in case of a directory or space root, all child resources of it.\n\nDue to a bug in the GRPC authorization middleware of the \"Reva\" component of OpenCloud a malicious user is able to bypass the scope verification. By exploiting this via the the \"archiver\" service this can be leveraged to create an archive (zip or tar-file) containing all resources that this creator of the public link has access to.\n\nIt is not possible to bypass the public link scope via \"normal\" WebDAV requests so it is not possible to exploit this vulnerability via WebDAV.\n\n### Patches\n\nUpdate to OpenCloud Reva version \u003e= 2.40.3 for the 2.40.x versions.\\\nUpdate to OpenCloud Reva version \u003e= 2.42.3 for the 2.41.x versions\n\n### Workarounds\n\nThere is no workaround because one cannot run Reva standalone from this project. Please check the [OpenCloud Advisory](https://github.com/opencloud-eu/opencloud/security/advisories/GHSA-vf5j-r2hw-2hrw) how to mitigate the problem in an OpenCloud deployment via configuration.\n\n### For more information\n\nIf there are any questions or comments about this advisory:\n\n- Security Support: [security@opencloud.eu](mailto:security@opencloud.eu)\n- Technical Support: [support@opencloud.eu](mailto:support@opencloud.eu)",
  "id": "GHSA-9j2f-3rj3-wgpg",
  "modified": "2026-02-06T21:42:15Z",
  "published": "2026-02-05T20:32:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/opencloud-eu/reva/security/advisories/GHSA-9j2f-3rj3-wgpg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23989"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opencloud-eu/reva/commit/95aa2bc5d980eaf6cc134d75782b4f5ac7b36ae1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/opencloud-eu/reva"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenCloud Reva has a Public Link Exploit"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.