CVE-2026-23989 HIGH

CVE-2026-23989: REVA Public Link Exploit

Vendor Opencloud-Eu
Product reva
Weakness CWE-863 · Incorrect authorization
Published February 6, 2026
Last update February 6, 2026

CVSS base score

8.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

What the vulnerability does

01Description

REVA is an interoperability platform. Prior to 2.42.3 and 2.40.3, a bug in the GRPC authorization middleware of the "Reva" component of OpenCloud allows a malicious user to bypass the scope verification of a public link. By exploiting this via the the "archiver" service this can be leveraged to create an archive (zip or tar-file) containing all resources that this creator of the public link has access to. This vulnerability is fixed in 2.42.3 and 2.40.3.

Key dates

02Disclosure timeline

February 6, 2026 CVE published
February 6, 2026 Record updated