PT-2026-6645 · Opencloud · Reva

Rhafer

Publicado

2026-02-05

Atualizado

2026-03-03

CVE-2026-23989

CVSS v3.1

8.2

Alta

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Name of the Vulnerable Software and Affected Versions REVA versions prior to 2.40.3 REVA versions prior to 2.42.3

Description A flaw exists in the GRPC authorization middleware of the "Reva" component of OpenCloud. This allows a malicious user to bypass scope verification of a public link. By exploiting this through the "archiver" service, an attacker can create an archive (zip or tar-file) containing all resources accessible to the creator of the public link. The issue is not exploitable via WebDAV requests.

Recommendations Update to REVA version 2.40.3 or later. Update to REVA version 2.42.3 or later.

Exploit

Correção

Incorrect Authorization

Path traversal

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-863CWE-22

Identificadores relacionados

CVE-2026-23989

GHSA-9J2F-3RJ3-WGPG

GO-2026-4444

OPENSUSE-SU-2026:10159-1

SUSE-SU-2026:0757-1

Produtos afetados

Reva

PT-2026-6645 · Opencloud · Reva

CVE-2026-23989

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 119