VYPR
High severityNVD Advisory· Published Feb 6, 2026· Updated Feb 6, 2026

REVA Public Link Exploit

CVE-2026-23989

Description

REVA is an interoperability platform. Prior to 2.42.3 and 2.40.3, a bug in the GRPC authorization middleware of the "Reva" component of OpenCloud allows a malicious user to bypass the scope verification of a public link. By exploiting this via the the "archiver" service this can be leveraged to create an archive (zip or tar-file) containing all resources that this creator of the public link has access to. This vulnerability is fixed in 2.42.3 and 2.40.3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/opencloud-eu/reva/v2Go
< 2.40.32.40.3
github.com/opencloud-eu/reva/v2Go
>= 2.41.0, < 2.42.32.42.3

Affected products

4

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.