{"id":"CVE-2026-42160","summary":"Data Space Portal: Incorrect Authorization and Client-Side Enforcement of Server-Side Security in ghcr.io/sovity/ds-portal-ce-backend","details":"Data Space Portal is an open-source Software as a Service (SaaS) solution designed to streamline Dataspace management. From version 2.1.1 to before version 7.3.2, there is insufficient authorization in the dataspace-portal backend regarding self-registered \"PENDING\" organization / user accounts. This issue has been patched in version 7.3.2.","aliases":["GHSA-989g-wpfv-6vxx"],"modified":"2026-07-08T08:13:36.496954901Z","published":"2026-05-08T19:46:59.825Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42160.json","cwe_ids":["CWE-602","CWE-863"]},"references":[{"type":"WEB","url":"https://github.com/sovity/dataspace-portal/releases/tag/v7.3.2"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42160.json"},{"type":"ADVISORY","url":"https://github.com/sovity/dataspace-portal/security/advisories/GHSA-989g-wpfv-6vxx"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42160"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/sovity/dataspace-portal","events":[{"introduced":"cf1f505c2d3c2ae4f8b23c25efec382946aa1d76"},{"fixed":"55eb7e0aa069a51b740ecd2eb84876b187b15441"}],"database_specific":{"source":["AFFECTED_FIELD","DESCRIPTION","REFERENCES"],"extracted_events":[{"introduced":"2.1.1"},{"fixed":"7.3.2"},{"introduced":"0"}]}}],"versions":["v7.3.0","v7.2.0","v7.1.0","v7.0.0","v6.0.0","v5.0.0","v4.1.1","v4.1.0","v2.3.0","v4.0.0","v3.1.0","v3.0.0","v2.2.1","v2.2.0","v2.1.2","v2.1.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42160.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L"}]}