CVE-2026-42160
Insufficient Authorization in Data Space Portal for Pending Accounts
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sovity | dataspace-portal | From 2.1.1 (inc) to 7.3.2 (exc) |
| sovity | dataspace-portal | 7.3.2 |
| sovity | ds-portal-ce-backend | From 2.1.1 (inc) |
| sovity | ds-portal-ce-backend | 7.3.2 |
| sovity | frontend | 7.3.2 |
| sovity | catalog-crawler-ce | * |
| sovity | edc-ce | 16.5.0 |
| keycloak | keycloak | 26.4.7 |
| postgresql | postgresql | 17 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-602 | The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server. |
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Data Space Portal, an open-source SaaS solution for managing dataspaces. Between versions 2.1.1 and before 7.3.2, the backend does not properly authorize self-registered accounts that are in a "PENDING" state. This means that users or organizations that have registered but are still pending approval may have more access or capabilities than intended, potentially bypassing security controls.
How can this vulnerability impact me? :
Because of insufficient authorization on pending accounts, unauthorized users or organizations might gain access to sensitive data or functionalities within the Data Space Portal. This could lead to data breaches, unauthorized data manipulation, or other security incidents compromising the integrity and confidentiality of the dataspace.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade the Data Space Portal software to version 7.3.2 or later, where the insufficient authorization issue has been patched.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized access to dataspace resources by users with pending accounts, potentially leading to unauthorized data access and confidentiality breaches.
Such unauthorized access and potential data exposure could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict control over access to personal and sensitive data.
However, the provided information does not explicitly mention compliance impacts or regulatory considerations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves insufficient backend authorization checks allowing users with "PENDING" account status to access restricted API endpoints by bypassing frontend enforcement.
To detect exploitation attempts on your system or network, you can monitor API access logs for requests made by accounts with a "PENDING" status accessing restricted endpoints such as dataspace catalog viewing, connector registration, or other privileged actions.
Suggested commands include querying backend logs or API access logs for suspicious activity:
- Use grep or similar tools to search logs for API calls from users with "PENDING" status, e.g., `grep 'status:PENDING' /var/log/dataspace-portal/api.log`
- Monitor HTTP requests to restricted endpoints by filtering logs for unusual POST or GET requests from newly registered accounts.
- If you have database access, run queries to identify accounts with "PENDING" status that have recent activity or API tokens used for restricted actions.
Since the vulnerability stems from missing backend checks, direct API calls bypassing frontend restrictions are key indicators. Network monitoring tools can be configured to flag such unauthorized API calls.