high · 8CVE-2026-49832Jul 8, 2026

CVE-2026-49832: DSpace Remote Code Execution via Velocity Template Injection in LDN

Pranav Khune
Penetration Testing Team Lead, SecureLayer7

A DSpace administrator can plant a malicious Velocity template inside a COAR Notify/LDN message template to execute arbitrary Java code on the server.

Packageorg.dspace:dspace-api
Ecosystemmaven
Affected>= 8.0-rc1, < 8.4
Fixed in8.4

The problem

DSpace versions 8.0 through 8.3 (and 9.0 through 9.2) render COAR Notify/LDN message templates using Apache Velocity without a secure sandbox. An authenticated administrator can supply a Velocity template containing reflective Java method calls.

When the template is processed, Velocity evaluates the expression and executes arbitrary Java on the server. Chained with the LDN path traversal (GHSA-9qm4-rh6w-pq5x), an attacker can write a malicious template file to the server first, then trigger its evaluation.

The attack requires DSpace administrator credentials.

Proof of concept

A working proof-of-concept for CVE-2026-49832 in org.dspace:dspace-api, with the exact payload below.

text
#set($ex = $class.forName("java.lang.Runtime").getMethod("exec", $class.forName("java.lang.String")).invoke($class.forName("java.lang.Runtime").getMethod("getRuntime").invoke(null), "id"))
#set($reader = $class.forName("java.io.BufferedReader").getDeclaredConstructors()[0].newInstance($class.forName("java.io.InputStreamReader").getDeclaredConstructors()[0].newInstance($ex.getInputStream())))
#set($result = "")
#foreach($line in $reader.lines().iterator())
  #set($result = "$result $line")
#end
$result

Velocity's default `UberspectImpl` introspector allows templates to resolve and call arbitrary Java methods via reflection. The payload uses `$class` (the Velocity context's class resolver) to look up `java.lang.Runtime` by name, invoke `getRuntime()`, and then call `exec()`, which is exactly the reflection chain that Velocity itself patched in CVE-2020-13936 by introducing a sandbox in Velocity 2.3.

DSpace already shipped Velocity 2.3+ but had not configured the `SecureUberspector` for its own template rendering paths, leaving the LDN and email template processors unsandboxed.

The fix in PR #12548 (9.x) and #12549 (8.x), authored by Kim Shepherd, enables the `SecureUberspector` in DSpace's Velocity engine configuration. This blocks reflective access to class objects and method invocation entirely from within templates (CWE-94).

The fix

Upgrade to DSpace 8.4, 9.3, or 10.0. If an immediate upgrade is not possible, apply the manual patch (PR #12549 for 8.x or PR #12548 for 9.x), then rebuild and redeploy. As a short-term workaround, set `ldn.enabled=false` in `dspace.cfg` or `local.cfg` to remove the known attack path.

LDN is disabled by default, so many deployments are not exposed.

Reported by Pablo Picurelli Ortiz (@superpegaso2703), cybersecurity student at Universidad Rey Juan Carlos.

References: [1][2][3][4]

Related research