PT-2026-8299 — Path traversal in Go Github.Com/Opencloud-Eu/Opencloud

PT-2026-8299 · Go · Github.Com/Opencloud-Eu/Opencloud

Published

2026-02-05

Updated

2026-02-05

CVSS v3.1

8.2

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Impact

A security issue was discovered in Reva that enables a malicious user to bypass the scope validation of a public link. That allows it to access resources outside the scope of a public link.

OpenCloud uses Reva as one of its core components and thus it is affected.

Patches

Update to OpenCloud version >= 4.0.3 (stable release) Update to OpenCloud version >= 5.0.2 (rolling release)

Workarounds

If projects are unable to update immediately, please implement the following security configuration to disable public link shares temporarily until the final solution for this problem is rolled out.

Configuration Adjustment

Docker Compose: Edit the docker-compose.yml and add GATEWAY STORAGE PUBLIC LINK ENDPOINT=“” (empty string value) in the environment section of the opencloud container.

Verification of Mitigation

Execute the following test:

Create a public link for testing.
Open the link url in a private (no active login) browser tab.
An error page with “unknown error” will be displayed.

This configuration provides immediate protection and should be implemented immediately. Configuration mitigation is available. It mitigates the problem completely.

For more information

If there are questions or comments about this advisory:

Security Support: security@opencloud.eu
Technical Support: support@opencloud.eu

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

GHSA-VF5J-R2HW-2HRW

Affected Products

Github.Com/Opencloud-Eu/Opencloud