PT-2026-8299 · Go · Github.Com/Opencloud-Eu/Opencloud
Publicado
2026-02-05
·
Atualizado
2026-02-05
CVSS v3.1
8.2
Alta
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |
Impact
A security issue was discovered in Reva that enables a malicious user to bypass the scope validation of a public link. That allows it to access resources outside the scope of a public link.
OpenCloud uses Reva as one of its core components and thus it is affected.
Patches
Update to OpenCloud version >= 4.0.3 (stable release)
Update to OpenCloud version >= 5.0.2 (rolling release)
Workarounds
If projects are unable to update immediately, please implement the following security configuration to disable public link shares temporarily until the final solution for this problem is rolled out.
Configuration Adjustment
- Docker Compose: Edit the docker-compose.yml and add
GATEWAY STORAGE PUBLIC LINK ENDPOINT=“”(empty string value) in theenvironmentsection of theopencloudcontainer.
Verification of Mitigation
Execute the following test:
- Create a public link for testing.
- Open the link url in a private (no active login) browser tab.
- An error page with “unknown error” will be displayed.
This configuration provides immediate protection and should be implemented immediately. Configuration mitigation is available. It mitigates the problem completely.
For more information
If there are questions or comments about this advisory:
- Security Support: security@opencloud.eu
- Technical Support: support@opencloud.eu
Correção
Path traversal
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Github.Com/Opencloud-Eu/Opencloud