Cyber Resilience

CVE-2026-23989

High

Published: 06 February 2026

Published
06 February 2026
Modified
24 February 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0027 18.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-23989 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Heinlein Opencloud Reva. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-25 (Reference Monitor).

Deeper analysis

CVE-2026-23989 is a vulnerability in the Reva component of OpenCloud, an interoperability platform. Prior to versions 2.42.3 and 2.40.3, a bug in the GRPC authorization middleware allows bypassing scope verification for public links. This issue, classified under CWE-863 (Incorrect Authorization), has a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high severity due to network accessibility, low attack complexity, and no required privileges or user interaction.

A malicious unauthenticated attacker can exploit this vulnerability by leveraging the archiver service through a public link. This enables the creation of a zip or tar archive containing all resources accessible to the public link's creator, resulting in unauthorized data exfiltration with high confidentiality impact and low integrity impact.

The vulnerability is fixed in Reva versions 2.42.3 and 2.40.3. Official mitigation details are available in the GitHub security advisory (GHSA-9j2f-3rj3-wgpg) and the fixing commit (95aa2bc5d980eaf6cc134d75782b4f5ac7b36ae1), recommending immediate upgrades for affected deployments.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

REVA is an interoperability platform. Prior to 2.42.3 and 2.40.3, a bug in the GRPC authorization middleware of the "Reva" component of OpenCloud allows a malicious user to bypass the scope verification of a public link. By exploiting this via…

more

the the "archiver" service this can be leveraged to create an archive (zip or tar-file) containing all resources that this creator of the public link has access to. This vulnerability is fixed in 2.42.3 and 2.40.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Auth bypass in public-facing GRPC/archiver service directly enables T1190 exploitation for unauthorized data access/exfiltration.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32924Shared CWE-863
CVE-2026-23837Shared CWE-863
CVE-2020-36948Shared CWE-863
CVE-2026-29087Shared CWE-863
CVE-2026-30947Shared CWE-863
CVE-2024-13291Shared CWE-863
CVE-2025-30744Shared CWE-863
CVE-2024-53553Shared CWE-863
CVE-2026-34532Shared CWE-863
CVE-2026-0562Shared CWE-863

Affected Assets

heinlein
opencloud reva
≤ 2.40.3 · 2.41.0 — 2.42.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

The GRPC authorization middleware functions as a reference monitor that must mediate and enforce all access decisions, directly preventing scope verification bypass for public links.

prevent

Enforces approved authorizations in the system, countering the incorrect authorization bug that allowed public link scope bypass and unauthorized archiver access.

prevent

Explicitly authorizes and limits specific actions without identification or authentication, such as restricting archiver service usage via unauthenticated public links to intended scopes only.

References