CVE-2026-42160

Vulnerability

In Data Space Portal versions 2.1.1 through 7.3.1 (before 7.3.2), the backend does not validate the account status of self-registered users. Although the front end shows a "pending" page, the API endpoints lack server-side checks for the ACTIVE status. Affected endpoints include the catalog endpoint and connector registration endpoint, where only role and organization membership are verified but not the pending status [1].

Exploitation

An attacker can register a new organization/user account and log in. Despite the account being in "PENDING" status, the attacker can use the session token to call API endpoints such as the catalog endpoint (to view the dataspace catalog) or the register connector endpoint (to register a connector). No prior authorization or approval is needed beyond the initial self-registration [1].

Impact

A pending user gains unauthorized access to the dataspace catalog (information disclosure) and can register a connector, effectively participating in the dataspace without approval. This undermines the access control intended to restrict access to approved members [1].

Mitigation

The issue is patched in version 7.3.2, released on 2026-04-20 [2]. No special migration steps are required; users should update the backend Docker image to ghcr.io/sovity/ds-portal-ce-backend:7.3.2 [2]. No workaround is documented for unpatched versions.