CVE-2026-23989 is an authorization bypass vulnerability classified under CWE-863, found in the GRPC authorization middleware of the Reva component within the OpenCloud interoperability platform. Reva facilitates resource sharing and collaboration across cloud services. The vulnerability arises from improper scope verification on public links, which are intended to restrict access to specific resources. Due to a bug in the authorization middleware, an attacker can bypass these scope checks without authentication or user interaction. By leveraging the archiver service, the attacker can generate an archive (zip or tar) containing all resources that the public link creator has access to, effectively escalating access beyond intended limits. This unauthorized access compromises confidentiality by exposing potentially sensitive data. The vulnerability affects Reva versions earlier than 2.40.3 and versions from 2.41.0 up to but not including 2.42.3. The issue was addressed in versions 2.40.3 and 2.42.3 by correcting the scope verification logic in the GRPC middleware. The CVSS v3.1 base score is 8.2, indicating a high severity due to network exploitability, no required privileges, and no user interaction, with a significant impact on confidentiality and limited impact on integrity and availability. No public exploits have been reported, but the vulnerability's nature makes it a critical concern for organizations relying on Reva for secure resource sharing.

For European organizations, this vulnerability poses a significant risk of unauthorized data disclosure. Since Reva is an interoperability platform used to share and manage resources across cloud environments, exploitation could lead to leakage of sensitive corporate or personal data, violating data protection regulations such as GDPR. The ability to archive all accessible resources via a public link bypasses intended access controls, increasing the risk of intellectual property theft, exposure of confidential business information, or personal data breaches. This could result in reputational damage, regulatory fines, and operational disruption. Organizations using affected versions of Reva in sectors like finance, healthcare, government, or critical infrastructure are particularly at risk due to the sensitivity of their data and the potential impact of unauthorized access. The network-based exploitability and lack of required privileges make this vulnerability attractive to remote attackers, increasing the urgency for mitigation.

European organizations should immediately verify their Reva versions and upgrade to 2.40.3 or 2.42.3 or later to remediate the vulnerability. In environments where immediate patching is not feasible, organizations should restrict network access to the archiver service and GRPC endpoints to trusted internal networks only, using firewall rules or network segmentation. Implement strict monitoring and logging of public link creation and archiving activities to detect anomalous behavior indicative of exploitation attempts. Review and minimize the use of public links, applying the principle of least privilege to resource sharing. Employ additional access controls such as multi-factor authentication and IP whitelisting where possible to reduce unauthorized access risks. Conduct regular security audits and vulnerability scans focusing on OpenCloud components. Finally, educate users about the risks of public link sharing and enforce policies to limit exposure.