CVE-2026-23989

High

Published: 06 February 2026

Published

06 February 2026

Modified

24 February 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

EPSS Score 0.0002 4.4th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23989 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Heinlein Opencloud Reva. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-25 (Reference Monitor).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-25 Reference Monitor good match

prevent

The GRPC authorization middleware functions as a reference monitor that must mediate and enforce all access decisions, directly preventing scope verification bypass for public links.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations in the system, countering the incorrect authorization bug that allowed public link scope bypass and unauthorized archiver access.

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Explicitly authorizes and limits specific actions without identification or authentication, such as restricting archiver service usage via unauthenticated public links to intended scopes only.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Auth bypass in public-facing GRPC/archiver service directly enables T1190 exploitation for unauthorized data access/exfiltration.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

REVA is an interoperability platform. Prior to 2.42.3 and 2.40.3, a bug in the GRPC authorization middleware of the "Reva" component of OpenCloud allows a malicious user to bypass the scope verification of a public link. By exploiting this via…

the the "archiver" service this can be leveraged to create an archive (zip or tar-file) containing all resources that this creator of the public link has access to. This vulnerability is fixed in 2.42.3 and 2.40.3.

Deeper analysisAI

CVE-2026-23989 is a vulnerability in the Reva component of OpenCloud, an interoperability platform. Prior to versions 2.42.3 and 2.40.3, a bug in the GRPC authorization middleware allows bypassing scope verification for public links. This issue, classified under CWE-863 (Incorrect Authorization), has a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high severity due to network accessibility, low attack complexity, and no required privileges or user interaction.

A malicious unauthenticated attacker can exploit this vulnerability by leveraging the archiver service through a public link. This enables the creation of a zip or tar archive containing all resources accessible to the public link's creator, resulting in unauthorized data exfiltration with high confidentiality impact and low integrity impact.

The vulnerability is fixed in Reva versions 2.42.3 and 2.40.3. Official mitigation details are available in the GitHub security advisory (GHSA-9j2f-3rj3-wgpg) and the fixing commit (95aa2bc5d980eaf6cc134d75782b4f5ac7b36ae1), recommending immediate upgrades for affected deployments.