Skip to content

DSpace has possible Remote Code Execution (RCE) through Velocity Templates used by LDN

High severity GitHub Reviewed Published Jun 1, 2026 in DSpace/DSpace • Updated Jul 8, 2026

Package

maven org.dspace:dspace-api (Maven)

Affected versions

>= 8.0-rc1, < 8.4
>= 9.0-rc1, < 9.3
= 10.0-rc1

Patched versions

8.4
9.3
10.0

Description

Overview

Remote Code Execution (RCE) is possible via Velocity Templates used by DSpace for COAR Notify/LDN messages. This vulnerability impacts DSpace versions 8.0 <= 8.3, 9.0 <= 9.2. The attacker MUST already have DSpace administrator credentials in order to perform the attack.

This attack is related to the path traversal attack identified in GHSA-9qm4-rh6w-pq5x as it was the impactful part of the "proof-of-concept" attack chain.

Impact

When chained with the LDN Path Traversal Attack identified in GHSA-9qm4-rh6w-pq5x, it may be possible to execute Java directly from Velocity templates using reflection. This is a very high impact vulnerability, but the attack can only be performed by a user that has DSpace Administrator privileges. Disabling LDN (see below) removes all known attack paths.

Velocity is also used for email templating, but there is no known attack path via emails templates. Nonetheless, the patches below also apply to email templates.

Patches

The fix is included in DSpace 8.4, 9.3 and 10.0. Please upgrade to one of these versions or disable LDN (see below)

If users cannot upgrade immediately, it is possible to manually patch their DSpace backend. (No changes are necessary to the frontend.) A pull request exists which can be used to patch systems running DSpace 8.x or 9.x.

Apply the patch to a DSpace instance

If at all possible, DSpace project maintainers recommend disabling LDN (see below) or upgrading a DSpace site based on the upgrade instructions. However, if users are unable to do so, they can manually apply the above patches to their Space backend as follows:

  1. Download the appropriate patch file to the machine where DSpace backend is running
  2. From the [dspace-src] folder, apply the patch, e.g. git apply [name-of-file].patch
  3. Now, update the application's DSpace site (based loosely on the Upgrade instructions). This generally involves three steps:
    1. Rebuild DSpace, e.g. mvn -U clean package (This will recompile all DSpace backend code)
    2. Redeploy DSpace, e.g. ant update (This will copy all newly built code to the application's installation directory). Depending on an application's setup users also may need to copy the updated "server" webapp over to their Tomcat webapps folder.
    3. Restart Tomcat (or runnable JAR)

Workarounds

  • In dspace.cfg or local.cfg, disable LDN (set ldn.enabled=false) if it is not crucial to the operation of the repository. (NOTE: LDN is disabled by default, so many DSpace sites may not use this feature)
  • Once users have patched theirr site or upgraded, they may safely enable LDN again.

Resources

This vulnerability is similar to vulnerabilities reported by Velocity itself:

Credits

Discovered & reported by Pablo Picurelli Ortiz (@superpegaso2703), cybersecurity student at Universidad Rey Juan Carlos. Reported as a possible attack combined with the LDN Path Traversal vulnerability.
Code fix developed by Kim Shepherd (@kshepherd) of The Library Code

References

@tdonohue tdonohue published to DSpace/DSpace Jun 1, 2026
Published to the GitHub Advisory Database Jul 8, 2026
Reviewed Jul 8, 2026
Last updated Jul 8, 2026

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
High
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS score

Weaknesses

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. Learn more on MITRE.

CVE ID

CVE-2026-49832

GHSA ID

GHSA-9x82-rm84-c6x7

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.