REVA Public Link Exploit
Description
REVA is an interoperability platform. Prior to 2.42.3 and 2.40.3, a bug in the GRPC authorization middleware of the "Reva" component of OpenCloud allows a malicious user to bypass the scope verification of a public link. By exploiting this via the the "archiver" service this can be leveraged to create an archive (zip or tar-file) containing all resources that this creator of the public link has access to. This vulnerability is fixed in 2.42.3 and 2.40.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A bug in Reva's GRPC authorization middleware allows a malicious users to bypass public link scope checks, enabling extraction of arbitrary files via the archiver the archiver service.
Vulnerability
Overview
CVE-2026-23989 is an authorization bypass vulnerability in the Reva interoperability platform, used by OpenCloud. The bug resides in the GRPC authorization middleware, specifically in the checkIfNestedResource function that validates whether a requested resource falls within the scope of a public link share [1][3]. Due to a flawed path comparison using strings.HasPrefix, an attacker can craft a path that passes the scope check even when it lies outside the allowed directory [4].
Exploitation
Exploitation requires only a valid public link (no authentication needed). An anonymous user can send specially crafts GRPC requests to the "archiver" service, which creates a zip or tar archive containing resources beyond the link's scope [3]. The vulnerability does not affect standard WebDAV requests, only GRPC-based interactions, making the archiver service-specific exploitation [3]. The attacker must know the target resource paths.
Impact
Successful exploitation allows an unauthenticated attacker to create an archive containing any resource the original public link creator has access to, leading to data exfiltration of files and directories that should be restricted [1][3]. The impact depends on the link creator's permissions; if they have broad access, the attacker can obtain sensitive data from the entire instance.
Mitigation
Patches are available in Reva versions 2.40.3 and 2.42.3 [1][3]. No workaround exists for standalone Reva; OpenCloud deployments should apply the patch or follow the OpenCloud advisory for configuration-based mitigations [3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/opencloud-eu/reva/v2Go | < 2.40.3 | 2.40.3 |
github.com/opencloud-eu/reva/v2Go | >= 2.41.0, < 2.42.3 | 2.42.3 |
Affected products
2<2.42.3 AND <2.40.3+ 1 more
- (no CPE)range: <2.42.3 AND <2.40.3
- (no CPE)range: < 2.40.3
Patches
195aa2bc5d980Merge pull request #521 from opencloud-eu/public-scope-fix
1 file changed · +6 −2
internal/grpc/interceptors/auth/scope.go+6 −2 modified@@ -21,6 +21,7 @@ package auth import ( "context" "fmt" + "path/filepath" "strings" "time" @@ -283,8 +284,11 @@ func checkIfNestedResource(ctx context.Context, ref *provider.Reference, parent return false, statuspkg.NewErrorFromCode(pathResp.Status.Code, "auth interceptor") } childPath := pathResp.Path - - return strings.HasPrefix(childPath, parentPath), nil + rel, err := filepath.Rel(parentPath, childPath) + if err != nil { + return false, err + } + return !strings.HasPrefix(rel, ".."), nil } func extractRefFromListProvidersReq(v *registry.ListStorageProvidersRequest) (*provider.Reference, bool) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-9j2f-3rj3-wgpgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-23989ghsaADVISORY
- github.com/opencloud-eu/reva/commit/95aa2bc5d980eaf6cc134d75782b4f5ac7b36ae1ghsax_refsource_MISCWEB
- github.com/opencloud-eu/reva/security/advisories/GHSA-9j2f-3rj3-wgpgghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.