GHSA-v66x-68f2-pxf5: DSpace has a possible Path Traversal Vulnerability in its Curation Task Reporter output path
Overview
The Curation Task feature allows an output path to be used by the reporter (-r parameter), typically used to stream results and status of curation task operations. It is not restricted to any particular base path, meaning that any path writable by the DSpace (often 'tomcat') user is allowed. This constitutes a Path Traversal Vulnerability in the curate script.
This was not a real problem when curation tasks could only be run from the command-line as a system administrator, but now that Collection/Community/Site Administrators can also run curation tasks via the web user interface, it introduces a possibility for an attacker with DSpace administrative credentials to set command parameters in such a way that output ends up in an unexpected location (for example, static resources folder in the Spring boot webapp, or overwriting a configuration file).
_This vulnerability impacts DSpace versions <= 7.6.6, 8.0 <= 8.3, 9.0 <= 9.2._ The attacker MUST already have DSpace Collection/Community/Site Administrator credentials in order to perform the attack.
Expected behaviour : Only a set of configured output directories should be allowed as base paths for Curation reporter output. The fix applied here is designed to be used with other systems that need to read or write streams on disk. In addition, we do not see a need for the web-managed processes to allow the -r reporter output parameter at all.
Impact
The ability to overwrite a file in /dspace/config or /dspace/bin is not desired, and could result in a denial of service attack. To actually use the curation reporter to perform an attack that escalates privileges, either a custom curation task would be needed (these can only be deployed by a system administrator), or the output would have to contain some executable information that is combined with other attacks, as a way to provide a payload in a local path.
Patches
The fix is included in DSpace 7.6.7, 8.4, 9.3 and 10.0. Please upgrade to one of these version
Details
Original advisory: https://github.com/advisories/GHSA-v66x-68f2-pxf5
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-49831 | coverage & exploitation status | NVD · CVE.org |
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10