Skip to main content

DSpace CVE-2026-49831

MEDIUM
Path Traversal (CWE-22)
2026-07-08 https://github.com/DSpace/DSpace GHSA-v66x-68f2-pxf5
5.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.5 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H
vuln.today AI
5.5 MEDIUM

Exploited over the network via web UI, requires high admin privileges, no confidentiality impact, high availability impact from potential config file overwrite.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 08, 2026 - 21:55 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 10 maven packages depend on org.dspace:dspace-api (7 direct, 3 indirect)

Ecosystem-wide dependent count for version 8.0-rc1.

DescriptionGitHub Advisory

Overview

The Curation Task feature allows an output path to be used by the reporter (-r parameter), typically used to stream results and status of curation task operations. It is not restricted to any particular base path, meaning that any path writable by the DSpace (often 'tomcat') user is allowed. This constitutes a Path Traversal Vulnerability in the curate script.

This was not a real problem when curation tasks could only be run from the command-line as a system administrator, but now that Collection/Community/Site Administrators can also run curation tasks via the web user interface, it introduces a possibility for an attacker with DSpace administrative credentials to set command parameters in such a way that output ends up in an unexpected location (for example, static resources folder in the Spring boot webapp, or overwriting a configuration file).

_This vulnerability impacts DSpace versions <= 7.6.6, 8.0 <= 8.3, 9.0 <= 9.2._ The attacker MUST already have DSpace Collection/Community/Site Administrator credentials in order to perform the attack.

Expected behaviour : Only a set of configured output directories should be allowed as base paths for Curation reporter output. The fix applied here is designed to be used with other systems that need to read or write streams on disk. In addition, we do not see a need for the web-managed processes to allow the -r reporter output parameter at all.

Impact

The ability to overwrite a file in /dspace/config or /dspace/bin is not desired, and could result in a denial of service attack. To actually use the curation reporter to perform an attack that escalates privileges, either a custom curation task would be needed (these can only be deployed by a system administrator), or the output would have to contain some executable information that is combined with other attacks, as a way to provide a payload in a local path.

Patches

The fix is included in DSpace 7.6.7, 8.4, 9.3 and 10.0. Please upgrade to one of these versions at the earliest convenience

If users cannot upgrade immediately, it is possible to manually patch their DSpace backend. (No changes are necessary to the frontend.) A pull request exists which can be used to patch systems running DSpace 7.6.x, 8.x or 9.x.

Apply the patch to a user's DSpace

If at all possible, DSpace maintainers recommend disabling the ORE Crosswalk (see below) or upgrading users' DSpace site based on the upgrade instructions. However, if usersare unable to do so, they can manually apply the above patches to their DSpace backend as follows:

  1. Download the appropriate patch file to the machine where DSpace backend is running
  2. From the [dspace-src] folder, apply the patch, e.g. git apply [name-of-file].patch
  3. Now, update the DSpace site (based loosely on the Upgrade instructions). This generally involves three steps:
  4. Rebuild DSpace, e.g. mvn -U clean package (This will recompile all DSpace backend code)
  5. Redeploy DSpace, e.g. ant update (This will copy all newly built code to a project's installation directory). Depending on the user's setup they also may need to copy the updated "server" webapp over to their Tomcat webapps folder.
  6. Restart Tomcat (or runnable JAR)

Workarounds

Patching the system is the recommended fix. However, if users cannot patch their system immediately, it is possible to temporarily disable all Curation Tasks by commenting out every CurationTask plugin in their curate.cfg file:

# For example, ensure every line that starts with "plugin.named.org.dspace.curate.CurationTask" is commented out

#plugin.named.org.dspace.curate.CurationTask = org.dspace.ctask.general.NoOpCurationTask = noop
#plugin.named.org.dspace.curate.CurationTask = org.dspace.ctask.general.ProfileFormats = profileformats
#plugin.named.org.dspace.curate.CurationTask = org.dspace.ctask.general.RequiredMetadata = requiredmetadata
#plugin.named.org.dspace.curate.CurationTask = org.dspace.ctask.general.ClamScan = vscan
...

Please be aware that commenting out all Curation Tasks will ensure that no curation tasks can be run from either the User Interface (in various admin tools) or from the command line. So, before commenting out these lines, ensure that users do not automatically run specific curation tasks (via dspace curate command) from scheduled cron jobs or similar.

Credits

Discovered & reported by Pablo Picurelli Ortiz (@superpegaso2703), cybersecurity student at Universidad Rey Juan Carlos. Code fix developed by Kim Shepherd (@kshepherd) of The Library Code

AnalysisAI

Path traversal in DSpace's Curation Task reporter parameter exposes authenticated Collection, Community, and Site Administrators to file write operations at arbitrary server-side paths writable by the DSpace/Tomcat OS user. Affected are DSpace versions through 7.6.6, 8.0-8.3, and 9.0-9.2, where the attack surface widened when web UI access was granted to admin roles beyond CLI-only system administrators. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain DSpace admin credentials
Delivery
Authenticate to DSpace web UI
Exploit
Submit curation task with traversal output path
Execution
Tomcat service account writes to target path
Persist
Overwrite config or binary file
Impact
Trigger denial of service on next reload

Vulnerability AssessmentAI

Exploitation Exploitation requires valid DSpace Collection, Community, or Site Administrator credentials - the vulnerability is not exploitable by unauthenticated users, submitters, or readers. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 3.1 score of 5.5 with vector AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H is well-calibrated to the actual threat model. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An adversary who has acquired DSpace Collection or Site Administrator credentials - through phishing, credential stuffing against a publicly accessible DSpace instance, or insider misuse - logs into the web UI and submits a curation task while setting the reporter output path to a sensitive location such as `/dspace/config/spring/api/core-dao-config.xml`. The curation task executes under the Tomcat service account and overwrites the targeted configuration file with task output, corrupting the Spring context and causing the DSpace backend to fail on next restart or reload, achieving denial of service without needing system-level access.
Remediation The primary remediation is to upgrade to DSpace 7.6.7, 8.4, 9.3, or 10.0, which restrict curation reporter output to configured allowed directories and remove the `-r` parameter from web-managed curation processes. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2026-49831 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy