CVE-2026-23989: OpenCloud Reva has a Public Link Exploit

February 5, 2026 (updated February 6, 2026)

A security issue was discovered in Reva based products that enables a malicious user to bypass the scope validation of a public link, allowing it to access resources outside the scope of a public link.

References

github.com/advisories/GHSA-9j2f-3rj3-wgpg
github.com/opencloud-eu/reva
github.com/opencloud-eu/reva/commit/95aa2bc5d980eaf6cc134d75782b4f5ac7b36ae1
github.com/opencloud-eu/reva/security/advisories/GHSA-9j2f-3rj3-wgpg
nvd.nist.gov/vuln/detail/CVE-2026-23989

Code Behaviors & Features

Detect and mitigate CVE-2026-23989 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →