Improper Restriction of Names for Files and Other Resources Affecting org.dspace:dspace-api package, versions [,7.6.7)[8.0-rc1,8.4)[9.0-rc1,9.3)[10-rc1,10.0)


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JAVA-ORGDSPACE-17901228
  • published9 Jul 2026
  • disclosed8 Jul 2026
  • creditsuperpegaso2703

Introduced: 8 Jul 2026

NewCVE-2026-49830  (opens in a new tab)
CWE-641  (opens in a new tab)

How to fix?

Upgrade org.dspace:dspace-api to version 7.6.7, 8.4, 9.3, 10.0 or higher.

Overview

org.dspace:dspace-api is a DSpace core data model and service APIs.

Affected versions of this package are vulnerable to Improper Restriction of Names for Files and Other Resources via the OREIngestionCrosswalk.ingest process in dspace-api/src/main/java/org/dspace/content/crosswalk/OREIngestionCrosswalk.java. An attacker can ingest a malicious ORE resource by supplying an aggregated resource URI such as file:///etc/passwd, causing the harvester to open and ingest a local server file as a bitstream. This affects OAI harvests where the ORE crosswalk processes attacker-controlled XML from a remote endpoint. The result is disclosure of local file contents inside DSpace items, exposing server data to users who can later access the harvested content.

Workarounds

  • Disable the ORE ingestion crosswalk in dspace.cfg by removing or commenting out org.dspace.content.crosswalk.OREIngestionCrosswalk = ore, \ from plugin.named.org.dspace.content.crosswalk.IngestionCrosswalk; this prevents the OAI harvester from processing attacker-controlled ORE resources that could point to file:///... paths.

CVSS Base Scores

version 4.0
version 3.1