GHSA-VF5J-R2HW-2HRW

Vulnerability from github – Published: 2026-02-05 21:29 – Updated: 2026-02-05 21:29
VLAI?
Summary
OpenCloud Affected by Public Link Exploit
Details

Impact

A security issue was discovered in Reva that enables a malicious user to bypass the scope validation of a public link. That allows it to access resources outside the scope of a public link.

OpenCloud uses Reva as one of its core components and thus it is affected.

Patches

Update to OpenCloud version >= 4.0.3 (stable release) Update to OpenCloud version >= 5.0.2 (rolling release)

Workarounds

If projects are unable to update immediately, please implement the following security configuration to disable public link shares temporarily until the final solution for this problem is rolled out.

Configuration Adjustment

  • Docker Compose: Edit the docker-compose.yml and add GATEWAY_STORAGE_PUBLIC_LINK_ENDPOINT=“” (empty string value) in the environment section of the opencloud container.

Verification of Mitigation

Execute the following test: - Create a public link for testing. - Open the link url in a private (no active login) browser tab. - An error page with “unknown error” will be displayed.

This configuration provides immediate protection and should be implemented immediately. Configuration mitigation is available. It mitigates the problem completely.

For more information

If there are questions or comments about this advisory:

Severity ?
8.2 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/opencloud-eu/opencloud"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/opencloud-eu/opencloud"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-05T21:29:26Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n\nA security issue was discovered in [Reva](https://github.com/opencloud-eu/reva) that enables a malicious user to bypass the scope validation of a public link. That allows it to access resources outside the scope of a public link.\n\nOpenCloud uses Reva as one of its core components and thus it is affected.\n\n### Patches\n\nUpdate to OpenCloud version \u003e= 4.0.3 (stable release)\nUpdate to OpenCloud version \u003e= 5.0.2 (rolling release)\n\n### Workarounds\n\nIf projects are unable to update immediately, please implement the following security configuration to disable public link shares temporarily until the final solution for this problem is rolled out.\n\n#### Configuration Adjustment\n\n* Docker Compose: Edit the docker-compose.yml and add `GATEWAY_STORAGE_PUBLIC_LINK_ENDPOINT=\u201c\u201d` (empty string value) in the `environment` section of the `opencloud` container.\n\n\n#### Verification of Mitigation\n\nExecute the following test: \n- Create a public link for testing. \n- Open the link url in a private (no active login) browser tab. \n- An error page with \u201cunknown error\u201d will be displayed.\n\nThis configuration provides immediate protection and should be implemented immediately. Configuration mitigation is available. It mitigates the problem completely.\n\n### For more information\n\nIf there are questions or comments about this advisory:\n\n- Security Support: [security@opencloud.eu](mailto:security@opencloud.eu)\n- Technical Support: [support@opencloud.eu](mailto:support@opencloud.eu)",
  "id": "GHSA-vf5j-r2hw-2hrw",
  "modified": "2026-02-05T21:29:26Z",
  "published": "2026-02-05T21:29:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/opencloud-eu/opencloud/security/advisories/GHSA-vf5j-r2hw-2hrw"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/opencloud-eu/opencloud"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenCloud Affected by Public Link Exploit"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.