Apache Archiva: disabling user registration is not effective
Description
UNSUPPORTED WHEN ASSIGNED Incorrect Authorization vulnerability in Apache Archiva.
Apache Archiva has a setting to disable user registration, however this restriction can be bypassed. As Apache Archiva has been retired, we do not expect to release a version of Apache Archiva that fixes this issue. You are recommended to look into migrating to a different solution, or isolate your instance from any untrusted users.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Archiva's user registration disable setting can be bypassed, allowing unauthorized access despite the product being retired.
Vulnerability
Overview
CVE-2024-27138 describes an incorrect authorization vulnerability in Apache Archiva, a retired repository manager. The application includes a configuration option intended to disable new user registration, but this restriction can be bypassed by an attacker. The root cause is a flaw in the authorization logic that fails to properly enforce the registration setting when processing certain requests.
Exploitation
Exploitation requires network access to an Archiva instance. The attacker does not need prior authentication; they can directly abuse the bypass to register a new account. The vulnerability exists in the user registration endpoint, which does not correctly check whether registration is disabled before creating an account. This enables any remote, unauthenticated user to create an account on the system.
Impact
By successfully registering an account, an attacker gains access to the Archiva repository with at least the privileges of a standard user. Depending on the instance's configuration, this could allow them to view, upload, or modify artifacts, potentially leading to supply chain attacks or disclosure of sensitive data. The vulnerability is rated as moderate severity because the attacker does not gain administrative privileges solely from registration.
Mitigation
Apache Archiva has been retired and no longer receives security updates; the Apache Software Foundation confirmed they will not release a patch. Administrators should migrate to an alternative solution, such as Apache Maven or modern artifact repositories. If migration is not immediately possible, Archiva instances must be isolated from untrusted users, for example by placing them behind a firewall or VPN. This vulnerability is listed as 'Unsupported When Assigned' by the CVE program [1][2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.archiva:archivaMaven | <= 2.2.10 | — |
Affected products
2- Apache Software Foundation/Apache Archivav5Range: 2.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-rv4h-m4wc-v99wghsaADVISORY
- lists.apache.org/thread/070qcpclcb3sqk1hn8j5lvzohp30k1m2ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-27138ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/03/01/4ghsaWEB
News mentions
0No linked articles in our index yet.