CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-49831

mediumCVSS 5.5covered by 1 sourcefirst seen 2026-07-08
Overview The Curation Task feature allows an output path to be used by the reporter (-r parameter), typically used to stream results and status of curation task operations. It is not restricted to any particular base path, meaning that any path writable by the DSpace (often 'tomcat') user is allowed. This constitutes a Path Traversal Vulnerability in the curate script. This was not a real problem when curation tasks could only be run from the command-line as a system administrator, but now that Collection/Community/Site Administrators can also run curation tasks via the web user interface, it introduces a possibility for an attacker with DSpace administrative credentials to set command parameters in such a way that output ends up in an unexpected location (for example, static resources folder in the Spring boot webapp, or overwriting a configuration file). _This vulnerability impacts DSpace versions <= 7.6.6, 8.0 <= 8.3, 9.0 <= 9.2._ The attacker MUST already have DSpace Collection/Community/Site Administrator credentials in order to perform the attack. Expected behaviour : Only a set of configured output directories should be allowed as base paths for Curation reporter output. The fix applied here is designed to be used with other systems that need to read or write streams on disk. In addition, we do not see a need for the web-managed processes to allow the -r reporter output parameter at all. Impact The ability to overwrite a file in /dspace/config or /dspace/bin is not desired, and could result in a denial of service attack. To actually use the curation reporter to perform an attack that escalates privileges, either a custom curation task would be needed (these can only be deployed by a system administrator), or the output would have to contain some executable information that is combined with other attacks, as a way to provide a payload in a local path. Patches The fix is included in DSpace 7.6.7, 8.4, 9.3 and 10.0. Please upgrade to one of these version

⚡ Watch CVE-2026-49831

Get an email if CVE-2026-49831 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-49831

CVE.org record

Embed the live status

CVE-2026-49831 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-49831 status](https://www.csirts.com/badge/CVE-2026-49831)](https://www.csirts.com/cve/CVE-2026-49831)