CVE-2026-49832: DSpace Remote Code Execution via Velocity Template Injection in LDN
A DSpace administrator can plant a malicious Velocity template inside a COAR Notify/LDN message template to execute arbitrary Java code on the server.
The problem
DSpace versions 8.0 through 8.3 (and 9.0 through 9.2) render COAR Notify/LDN message templates using Apache Velocity without a secure sandbox. An authenticated administrator can supply a Velocity template containing reflective Java method calls.
When the template is processed, Velocity evaluates the expression and executes arbitrary Java on the server. Chained with the LDN path traversal (GHSA-9qm4-rh6w-pq5x), an attacker can write a malicious template file to the server first, then trigger its evaluation.
The attack requires DSpace administrator credentials.
Proof of concept
A working proof-of-concept for CVE-2026-49832 in org.dspace:dspace-api, with the exact payload below.
#set($ex = $class.forName("java.lang.Runtime").getMethod("exec", $class.forName("java.lang.String")).invoke($class.forName("java.lang.Runtime").getMethod("getRuntime").invoke(null), "id"))
#set($reader = $class.forName("java.io.BufferedReader").getDeclaredConstructors()[0].newInstance($class.forName("java.io.InputStreamReader").getDeclaredConstructors()[0].newInstance($ex.getInputStream())))
#set($result = "")
#foreach($line in $reader.lines().iterator())
#set($result = "$result $line")
#end
$resultVelocity's default `UberspectImpl` introspector allows templates to resolve and call arbitrary Java methods via reflection. The payload uses `$class` (the Velocity context's class resolver) to look up `java.lang.Runtime` by name, invoke `getRuntime()`, and then call `exec()`, which is exactly the reflection chain that Velocity itself patched in CVE-2020-13936 by introducing a sandbox in Velocity 2.3.
DSpace already shipped Velocity 2.3+ but had not configured the `SecureUberspector` for its own template rendering paths, leaving the LDN and email template processors unsandboxed.
The fix in PR #12548 (9.x) and #12549 (8.x), authored by Kim Shepherd, enables the `SecureUberspector` in DSpace's Velocity engine configuration. This blocks reflective access to class objects and method invocation entirely from within templates (CWE-94).
The fix
Upgrade to DSpace 8.4, 9.3, or 10.0. If an immediate upgrade is not possible, apply the manual patch (PR #12549 for 8.x or PR #12548 for 9.x), then rebuild and redeploy. As a short-term workaround, set `ldn.enabled=false` in `dspace.cfg` or `local.cfg` to remove the known attack path.
LDN is disabled by default, so many deployments are not exposed.
Reported by Pablo Picurelli Ortiz (@superpegaso2703), cybersecurity student at Universidad Rey Juan Carlos.
Related research
- highCVE-2026-34151CVE-2026-34151: XWiki Platform Old Core Path Traversal via /skin/ Endpoint on Jetty 12
- high · 7.7CVE-2026-54641CVE-2026-54641: OpenRemote Manager Cross-Realm User Information Disclosure
- high · 7.6CVE-2026-54640CVE-2026-54640: OpenRemote KNXProtocol XXE Arbitrary File Read
- highCVE-2026-53712CVE-2026-53712: scram-client SCRAM Channel-Binding Silent Authentication Downgrade