Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-23989 is a security vulnerability in the Reva component of OpenCloud that affects versions prior to 2.40.3 and 2.42.3. The issue lies in the GRPC authorization middleware where a bug allows a malicious user to bypass the scope verification of public links.'}, {'type': 'paragraph', 'content': 'Normally, public links restrict access to specific resources and their children. However, due to this flaw, an attacker can exploit the "archiver" service to create an archive (zip or tar) containing all resources accessible to the creator of the public link, effectively accessing data beyond the intended scope.'}, {'type': 'paragraph', 'content': 'This vulnerability can be exploited remotely without any authentication or user interaction, but only via the archiver service, not through normal WebDAV requests.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive data by allowing an attacker to bypass scope restrictions on public links.

An attacker can create an archive containing all resources the public link creator has access to, potentially exposing confidential information.

The impact on confidentiality is high, while integrity impact is low and availability is not affected.

Since no authentication or user interaction is required, the risk of exploitation is significant if the vulnerable versions are in use.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability specifically affects the Reva component\'s GRPC authorization middleware and is exploitable via the "archiver" service. Detection involves monitoring or testing for unauthorized archive creation requests that bypass scope validation.'}, {'type': 'paragraph', 'content': 'Since the exploit targets the archiver service through GRPC calls, detection can focus on inspecting GRPC traffic or logs for suspicious archive creation requests that include resources beyond the intended public link scope.'}, {'type': 'paragraph', 'content': 'No explicit detection commands are provided in the available resources. However, network administrators can use tools like grpcurl or grpc_cli to simulate or inspect GRPC calls to the archiver service to verify if scope validation is enforced.'}, {'type': 'list_item', 'content': 'Use grpcurl to call the archiver service and attempt to create an archive including resources outside the public link scope.'}, {'type': 'list_item', 'content': 'Check Reva logs for any archive creation requests that include unexpected or unauthorized resource paths.'}, {'type': 'list_item', 'content': 'Monitor network traffic for GRPC calls to the archiver service that do not require authentication but attempt to access multiple or all resources.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation for this vulnerability is to update the Reva component of OpenCloud to a fixed version.

• Upgrade Reva to version 2.40.3 or later if you are on the 2.40.x branch.
• Upgrade Reva to version 2.42.3 or later if you are on the 2.41.x branch.

No standalone workaround exists, so applying the official patches or upgrading is necessary to fully mitigate the issue.

Additionally, review and apply any configuration changes recommended by OpenCloud advisories related to this vulnerability.

Useful 0 Not Useful 0