DSpace CVE-2026-49831
MEDIUMSeverity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H
Exploited over the network via web UI, requires high admin privileges, no confidentiality impact, high availability impact from potential config file overwrite.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H
Lifecycle Timeline
1Blast Radius
ecosystem impact- 10 maven packages depend on org.dspace:dspace-api (7 direct, 3 indirect)
Ecosystem-wide dependent count for version 8.0-rc1.
DescriptionGitHub Advisory
Overview
The Curation Task feature allows an output path to be used by the reporter (-r parameter), typically used to stream results and status of curation task operations. It is not restricted to any particular base path, meaning that any path writable by the DSpace (often 'tomcat') user is allowed. This constitutes a Path Traversal Vulnerability in the curate script.
This was not a real problem when curation tasks could only be run from the command-line as a system administrator, but now that Collection/Community/Site Administrators can also run curation tasks via the web user interface, it introduces a possibility for an attacker with DSpace administrative credentials to set command parameters in such a way that output ends up in an unexpected location (for example, static resources folder in the Spring boot webapp, or overwriting a configuration file).
_This vulnerability impacts DSpace versions <= 7.6.6, 8.0 <= 8.3, 9.0 <= 9.2._ The attacker MUST already have DSpace Collection/Community/Site Administrator credentials in order to perform the attack.
Expected behaviour : Only a set of configured output directories should be allowed as base paths for Curation reporter output. The fix applied here is designed to be used with other systems that need to read or write streams on disk. In addition, we do not see a need for the web-managed processes to allow the -r reporter output parameter at all.
Impact
The ability to overwrite a file in /dspace/config or /dspace/bin is not desired, and could result in a denial of service attack. To actually use the curation reporter to perform an attack that escalates privileges, either a custom curation task would be needed (these can only be deployed by a system administrator), or the output would have to contain some executable information that is combined with other attacks, as a way to provide a payload in a local path.
Patches
The fix is included in DSpace 7.6.7, 8.4, 9.3 and 10.0. Please upgrade to one of these versions at the earliest convenience
If users cannot upgrade immediately, it is possible to manually patch their DSpace backend. (No changes are necessary to the frontend.) A pull request exists which can be used to patch systems running DSpace 7.6.x, 8.x or 9.x.
- Pull request for 9.x: https://github.com/DSpace/DSpace/pull/12552 (Downloadable patch file)
- This 9.x patch file also resolves a similar path traversal vulnerability in LDN messages
- Pull request for 8.x: https://github.com/DSpace/DSpace/pull/12540 (Downloadable patch file)
- This 8.x patch file also resolves a similar path traversal vulnerability in LDN messages
- Pull request for 7.x: https://github.com/DSpace/DSpace/pull/12539 (Downloadable patch file)
Apply the patch to a user's DSpace
If at all possible, DSpace maintainers recommend disabling the ORE Crosswalk (see below) or upgrading users' DSpace site based on the upgrade instructions. However, if usersare unable to do so, they can manually apply the above patches to their DSpace backend as follows:
- Download the appropriate patch file to the machine where DSpace backend is running
- From the
[dspace-src]folder, apply the patch, e.g.git apply [name-of-file].patch - Now, update the DSpace site (based loosely on the Upgrade instructions). This generally involves three steps:
- Rebuild DSpace, e.g.
mvn -U clean package(This will recompile all DSpace backend code) - Redeploy DSpace, e.g.
ant update(This will copy all newly built code to a project's installation directory). Depending on the user's setup they also may need to copy the updated "server" webapp over to their Tomcat webapps folder. - Restart Tomcat (or runnable JAR)
Workarounds
Patching the system is the recommended fix. However, if users cannot patch their system immediately, it is possible to temporarily disable all Curation Tasks by commenting out every CurationTask plugin in their curate.cfg file:
# For example, ensure every line that starts with "plugin.named.org.dspace.curate.CurationTask" is commented out
#plugin.named.org.dspace.curate.CurationTask = org.dspace.ctask.general.NoOpCurationTask = noop
#plugin.named.org.dspace.curate.CurationTask = org.dspace.ctask.general.ProfileFormats = profileformats
#plugin.named.org.dspace.curate.CurationTask = org.dspace.ctask.general.RequiredMetadata = requiredmetadata
#plugin.named.org.dspace.curate.CurationTask = org.dspace.ctask.general.ClamScan = vscan
...Please be aware that commenting out all Curation Tasks will ensure that no curation tasks can be run from either the User Interface (in various admin tools) or from the command line. So, before commenting out these lines, ensure that users do not automatically run specific curation tasks (via dspace curate command) from scheduled cron jobs or similar.
Credits
Discovered & reported by Pablo Picurelli Ortiz (@superpegaso2703), cybersecurity student at Universidad Rey Juan Carlos. Code fix developed by Kim Shepherd (@kshepherd) of The Library Code
AnalysisAI
Path traversal in DSpace's Curation Task reporter parameter exposes authenticated Collection, Community, and Site Administrators to file write operations at arbitrary server-side paths writable by the DSpace/Tomcat OS user. Affected are DSpace versions through 7.6.6, 8.0-8.3, and 9.0-9.2, where the attack surface widened when web UI access was granted to admin roles beyond CLI-only system administrators. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires valid DSpace Collection, Community, or Site Administrator credentials - the vulnerability is not exploitable by unauthenticated users, submitters, or readers. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 3.1 score of 5.5 with vector AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H is well-calibrated to the actual threat model. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An adversary who has acquired DSpace Collection or Site Administrator credentials - through phishing, credential stuffing against a publicly accessible DSpace instance, or insider misuse - logs into the web UI and submits a curation task while setting the reporter output path to a sensitive location such as `/dspace/config/spring/api/core-dao-config.xml`. The curation task executes under the Tomcat service account and overwrites the targeted configuration file with task output, corrupting the Spring context and causing the DSpace backend to fail on next restart or reload, achieving denial of service without needing system-level access. |
| Remediation | The primary remediation is to upgrade to DSpace 7.6.7, 8.4, 9.3, or 10.0, which restrict curation reporter output to configured allowed directories and remove the `-r` parameter from web-managed curation processes. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-v66x-68f2-pxf5