CRITICAL🇵🇱 Wersja polska

CVE-2026-42160

CVSS 10.0v4.0pub. 2026-05-08upd. 2026-05-13

Data Space Portal is an open-source Software as a Service (SaaS) solution designed to streamline Dataspace management. From version 2.1.1 to before version 7.3.2, there is insufficient authorization in the dataspace-portal backend regarding self-registered "PENDING" organization / user accounts. This issue has been patched in version 7.3.2.

🤖 AI Analysis
How it works

The server-side (backend) authorization mechanism incorrectly implements access control for accounts that have not yet completed the verification process and have PENDING status. In accordance with CWE-602 (Client-Side Enforcement of Server-Side Security) and CWE-863 (Incorrect Authorization), the application does not properly enforce access restrictions at the server level. An attacker can register an account for their own organization or user, and then—without approval by an administrator—gain access to resources or operations for which they should not have permissions.

Impact

An attacker without any permissions and without user interaction can gain unauthorized access to data and functions of the Dataspace management system, including potentially reading and modifying data both within their own context and connected systems.

Mitigation & patch

Update Data Space Portal to version 7.3.2 or newer, in which the vulnerability has been patched. Details available in the official release: https://github.com/sovity/dataspace-portal/releases/tag/v7.3.2

Who is affected

Data Space Portal in versions from 2.1.1 to before 7.3.2 (dataspace-portal backend).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References