DSpace 7.6.7 is now available!
DSpace Technical Support
We are pleased to announce the release of DSpace 7.6.7! With the release of 10.0, this will be the final release of 7.6.x because we only support the last three major versions of DSpace.
This release provides security fixes, performance improvements, accessibility improvements and bug fixes to the 7.6.x platform. No new features are provided. As such, this release should be an easier upgrade for sites already running 7.6.x
Security Fixes
Fix for GHSA-9x82-rm84-c6x7 (high severity). Remote Code Execution (RCE) possible in Velocity templates used by LDN (Linked Data Notifications) when COAR Notify is enabled. (NOTE: A CVE ID has been requested but not yet assigned)
Fix for GHSA-9qm4-rh6w-pq5x (moderate severity). Path traversal vulnerability possible in LDN (Linked Data Notifications) message generation when COAR Notify is enabled. (NOTE: A CVE ID has been requested but not yet assigned)
Fix for GHSA-v66x-68f2-pxf5 (moderate severity). Path Traversal Vulnerability is possible in Curation Task Reporter output path. (NOTE: A CVE ID has been requested but not yet assigned)
Fix for GHSA-c827-pw3m-67w7 (moderate severity). ORE resource URI does not validate scheme for non-web resources when harvesting OAI content. (NOTE: A CVE ID has been requested but not yet assigned)
Patch for CVE-2026-27739 in Angular SSR (critical severity). All versions of Angular SSR (Server Side Rendering) contain a critical SSRF (Server-Side Request Forgery) vulnerability, which may be possible to exploit in DSpace sites that are not running DSpace behind a well-configured proxy (see mailing list announcement).
Breaking Changes
We include a “Breaking Changes” section to the Release Notes to notify you of major changes which may impact your upgrade. Please visit the Release Notes for the full details.
A few key breaking changes to be aware of in DSpace 7.6.7:
Frontend's new "ui > baseUrl" setting helps to patch against the Angular SSR vulnerability CVE-2026-27739.
Replaced "webui.content_disposition_format" with "webui.content_disposition_inline" (in dspace.cfg). This improves security of unknown or custom formats by only displaying trusted formats inline.
Major Bug fixes / improvements include:
Fixed bug on Browse by Issue Date where the date was treated as a filter rather than a start date for decades. #10055 (Donated by Atmire)
Fixed a bug where the IIIF viewer was not working due to a missing mime.types file. #11804 (Donated by 4Science)
Fixed a bug where authentication methods would not appear if page refreshed before authentication token expired. #4662 (Donated by Atmire)
Fixed a bug in hierarchical vocabulary browse where only the first 20 matches to a query were rendered. #4500 (Donated by Atmire)
Fixed an issue where deleted bitstreams returned HTTP 401 unauthorized instead of 404. #11629 (Donated by Jesiel Viana)
Fixed bug where LDAP authentication would fail with when a user's LDAP entry had no email field. #11292 (Donated by dataquest)
Fixed bug where metadata export was no longer respecting metadata.hide.* properties #11197 (Donated by Atmire)
Fixed an issue where the "New process" dropdown would not fully load when browser zoom was adjusted #4577 (Donated by 4Science)
Fixed bug occurring during OAI update process when batch size exceeded and items had metadata-level embargoes. #12112 (Donated by Toni Prieto)
Added missing Entity-related metadata fields to the Metadata Registry. #3353
Fixed bug where OAI identifier prefix could revert back to un-interpolated value when not defined in config. #12505 (Donated by Atmire)
Submission / Workflow enhancements and fixes
Fixed an issue where loading many mapped collection forms via item-submission could cause a Fetch error. #10750 (Donated by Paulo Graça)
Fixed bug where a Submitter could not deposit items via SWORD when the item had an embargo defined. #10404 (Donated by dataquest)
There is now a configurable limit on the number of items that can be added or edited in a single CSV metadata import. #9663 (Donated by Neki-IT)
Fixed an issue where controlled vocabulary lookup was not working for text with accented characters. #12097 (Donated by Istvan Vig)
Administrative enhancements and fixes
Fixed an issue where the checksum checker could fail to complete due to memory constraints in repositories with many bitstreams. #7322 (Donated by Miika Nurminen)
Fixed an issue where the curation task CreateMissingIdentifiers would not work for an item without a handle. #11676 (Donated by The Library Code)
Fixed bug where it was not possible to set the DELETE resource policy. #10741 (Donated by DSquare Technologies)
Performance improvements
Improved performance by optimizing the SQL query in the findByEPerson method. #11472 (Donated by Toni Prieto)
Improved performance on the signposting endpoint by adding a count query. #12305 (Donated by Tina Schönborn)
Improved loading times and cache behavior for the community list page. #9911 (Donated by 4Science)
Improved performance for relationship queries by caching the tables that store entity and relationship types. #12511 (Donated by Atmire)
Fixed a large number of other bugs. See Release Notes for details.
A total of 39 individuals contributed to 7.6.7. For a full list of changes and contributors in 7.6.7, see our Release Notes.
Would you like to contribute to a future DSpace release?
DSpace is built and supported by community volunteers. We have no centralized development team. Therefore, we welcome contributions from anyone! Contributions may take the form of:
Contributing money to our DSpace Development Fund - All funds go directly towards development in the next release(s), and you will be acknowledged on our DSpace Development Fund page.
Contributing code - As a volunteer developer you can determine which issue ticket you’d like to work on. Join our weekly developer meetings or get in touch with Tim Donohue if you have any questions.
With the release of DSpace 10.0, our currently supported releases will shift to 8.x, 9.x and 10.x. Therefore, 7.6.7 is the final release of 7.6.x and 7.x.x will enter “end of life” (EOL).
If you’d like more information on ongoing development, please consider joining our weekly developer meetings, or follow along by reading the public notes of past meetings.