GHSA-9j2f-3rj3-wgpg

Source

https://github.com/advisories/GHSA-9j2f-3rj3-wgpg

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-9j2f-3rj3-wgpg/GHSA-9j2f-3rj3-wgpg.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-9j2f-3rj3-wgpg

Aliases

Published

2026-02-05T20:32:53Z

Modified

2026-02-19T20:41:16.163826Z

Severity

8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N CVSS Calculator

Summary

OpenCloud Reva has a Public Link Exploit

Details

Impact

A security issue was discovered in Reva based products that enables a malicious user to bypass the scope validation of a public link, allowing it to access resources outside the scope of a public link.

Details

Public link shares in OpenCloud are bound to a specific scope (usually a file or directory). Anonymous users accessing resources via this public link share are only allowed to access the share resource itself and, in case of a directory or space root, all child resources of it.

Due to a bug in the GRPC authorization middleware of the "Reva" component of OpenCloud a malicious user is able to bypass the scope verification. By exploiting this via the the "archiver" service this can be leveraged to create an archive (zip or tar-file) containing all resources that this creator of the public link has access to.

It is not possible to bypass the public link scope via "normal" WebDAV requests so it is not possible to exploit this vulnerability via WebDAV.

Patches

Update to OpenCloud Reva version >= 2.40.3 for the 2.40.x versions.\ Update to OpenCloud Reva version >= 2.42.3 for the 2.41.x versions

Workarounds

There is no workaround because one cannot run Reva standalone from this project. Please check the OpenCloud Advisory how to mitigate the problem in an OpenCloud deployment via configuration.

For more information

If there are any questions or comments about this advisory:

Security Support: security@opencloud.eu
Technical Support: support@opencloud.eu

Database specific

{
    "github_reviewed_at": "2026-02-05T20:32:53Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-22",
        "CWE-863"
    ],
    "nvd_published_at": "2026-02-06T19:16:08Z",
    "severity": "HIGH"
}

References

Affected packages

Go / github.com/opencloud-eu/reva/v2

Package

Name: github.com/opencloud-eu/reva/v2; View open source insights on deps.dev
Purl: pkg:golang/github.com/opencloud-eu/reva/v2

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.40.3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-9j2f-3rj3-wgpg/GHSA-9j2f-3rj3-wgpg.json"

last_known_affected_version_range

"<= 2.40.1"

Go / github.com/opencloud-eu/reva/v2

Package

Name: github.com/opencloud-eu/reva/v2; View open source insights on deps.dev
Purl: pkg:golang/github.com/opencloud-eu/reva/v2

Affected ranges

Type: SEMVER
Events: Introduced

2.41.0

Fixed

2.42.3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-9j2f-3rj3-wgpg/GHSA-9j2f-3rj3-wgpg.json"