CVE-2026-23989
📋 TL;DR
This vulnerability in REVA's GRPC authorization middleware allows attackers to bypass scope verification on public links. Malicious users can exploit this via the archiver service to create archives containing all resources accessible to the public link creator. Organizations using affected REVA versions in OpenCloud deployments are impacted.
💻 Affected Systems
- OpenCloud REVA
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete data exfiltration of all resources accessible to any user who creates public links, potentially including sensitive organizational data.
Likely Case
Unauthorized access to files and resources through public links, leading to data leakage and privacy violations.
If Mitigated
Limited impact with proper access controls and monitoring, but still represents an authorization bypass vulnerability.
🎯 Exploit Status
Exploitation requires a malicious user account with ability to create public links, but the bypass itself is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.42.3 or 2.40.3
Vendor Advisory: https://github.com/opencloud-eu/reva/security/advisories/GHSA-9j2f-3rj3-wgpg
Restart Required: Yes
Instructions:
1. Backup current configuration and data. 2. Update REVA to version 2.42.3 or 2.40.3 using your package manager or from source. 3. Restart REVA services. 4. Verify the fix by testing public link functionality.
🔧 Temporary Workarounds
Disable public links
allTemporarily disable the public links feature to prevent exploitation while patching.
Modify REVA configuration to disable public sharing functionality
Restrict archiver service
allLimit access to the archiver service to trusted users only.
Configure access controls for archiver service endpoints
🧯 If You Can't Patch
- Implement strict network segmentation to isolate REVA instances from sensitive data stores
- Enable detailed logging and monitoring for archiver service usage and public link creation
🔍 How to Verify
Check if Vulnerable:
Check REVA version: if running version <2.42.3 (for 2.42.x branch) or <2.40.3 (for 2.40.x branch), system is vulnerable.Check Version:
reva version or check REVA service logs for version informationVerify Fix Applied:
After patching, test public link creation and archiver functionality to ensure scope verification works correctly.📡 Detection & Monitoring
Log Indicators:
- Unusual archiver service requests
- Public link creation followed by archive operations
- Authorization failures in GRPC middleware logs
Network Indicators:
- Multiple archive requests from single user in short timeframe
- Large data transfers from archiver service
SIEM Query:
source="reva" AND ("archiver" OR "public.link") AND status="success" | stats count by user, resource