CVE-2026-42160
Received Received - Intake
Insufficient Authorization in Data Space Portal for Pending Accounts

Publication date: 2026-05-08

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
Data Space Portal is an open-source Software as a Service (SaaS) solution designed to streamline Dataspace management. From version 2.1.1 to before version 7.3.2, there is insufficient authorization in the dataspace-portal backend regarding self-registered "PENDING" organization / user accounts. This issue has been patched in version 7.3.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-11
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-42160
EUVD
EUVD-2026-28817
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
sovity dataspace-portal From 2.1.1 (inc) to 7.3.2 (exc)
sovity dataspace-portal 7.3.2
sovity ds-portal-ce-backend From 2.1.1 (inc)
sovity ds-portal-ce-backend 7.3.2
sovity frontend 7.3.2
sovity catalog-crawler-ce *
sovity edc-ce 16.5.0
keycloak keycloak 26.4.7
postgresql postgresql 17
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-602 The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Data Space Portal, an open-source SaaS solution for managing dataspaces. Between versions 2.1.1 and before 7.3.2, the backend does not properly authorize self-registered accounts that are in a "PENDING" state. This means that users or organizations that have registered but are still pending approval may have more access or capabilities than intended, potentially bypassing security controls.

Impact Analysis

Because of insufficient authorization on pending accounts, unauthorized users or organizations might gain access to sensitive data or functionalities within the Data Space Portal. This could lead to data breaches, unauthorized data manipulation, or other security incidents compromising the integrity and confidentiality of the dataspace.

Mitigation Strategies

To mitigate this vulnerability, upgrade the Data Space Portal software to version 7.3.2 or later, where the insufficient authorization issue has been patched.

Compliance Impact

The vulnerability allows unauthorized access to dataspace resources by users with pending accounts, potentially leading to unauthorized data access and confidentiality breaches.

Such unauthorized access and potential data exposure could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict control over access to personal and sensitive data.

However, the provided information does not explicitly mention compliance impacts or regulatory considerations.

Detection Guidance

This vulnerability involves insufficient backend authorization checks allowing users with "PENDING" account status to access restricted API endpoints by bypassing frontend enforcement.

To detect exploitation attempts on your system or network, you can monitor API access logs for requests made by accounts with a "PENDING" status accessing restricted endpoints such as dataspace catalog viewing, connector registration, or other privileged actions.

Suggested commands include querying backend logs or API access logs for suspicious activity:

  • Use grep or similar tools to search logs for API calls from users with "PENDING" status, e.g., `grep 'status:PENDING' /var/log/dataspace-portal/api.log`
  • Monitor HTTP requests to restricted endpoints by filtering logs for unusual POST or GET requests from newly registered accounts.
  • If you have database access, run queries to identify accounts with "PENDING" status that have recent activity or API tokens used for restricted actions.

Since the vulnerability stems from missing backend checks, direct API calls bypassing frontend restrictions are key indicators. Network monitoring tools can be configured to flag such unauthorized API calls.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42160. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart