Princeton Library's Digital Collections Hit by Future OpenSSL Vulnerabilities (CVE-2026-2673, CVE-2026-28389/90)

A critical automated security scan for Princeton University Library's digital collections platform has failed, flagging multiple future-dated OpenSSL vulnerabilities. The Trivy scanner detected a 'High' severity flaw (CVE-2026-2673) and two 'Unknown' severity vulnerabilities (CVE-2026-28389, CVE-2026-28390) in core cryptographic libraries, including libssl3t64 and openssl. The scan results, which are publicly visible on the project's GitHub Actions page, indicate the software is running on outdated Debian packages, creating a potential security exposure for the institution's digital assets.

The failure occurred in the 'dpul-collections' repository, which hosts code for the library's digital exhibits and collections platform. The scanner output shows that three key packages—libssl3t64, openssl, and openssl-provider-legacy—are all installed at version '3.5.5-1~deb13u1' but require patching to version '3.5.5-1~deb13u2' to resolve the flagged CVEs. While the EPSS (Exploit Prediction Scoring System) scores for these vulnerabilities are currently listed as '< 0.1%', indicating a low probability of immediate exploitation, their presence in a public-facing academic repository signals a lapse in standard security hygiene.

This incident places internal pressure on Princeton University Library's development and IT security teams to address the version drift and harden their container deployment pipeline. Publicly exposed CI/CD failures can serve as a beacon for threat actors, potentially drawing scrutiny to the library's broader digital infrastructure. For an institution managing sensitive cultural and research data, maintaining a secure software supply chain is non-negotiable, making this automated scan failure a notable operational security signal.