On May 15, 2026, the Zenodo team identified and resolved a web caching misconfiguration that temporarily exposed user sessions to other active users visiting specific URL pathways.

• Incident start: May 13, 2026, at 15:30 CEST (13:30 UTC)
• Incident resolution & fix applied: May 15, 2026, at 15:15 CEST (13:15 UTC)

We take data privacy and platform security seriously. Below is a transparent breakdown of what happened, the limited scope of the impact, how we resolved it, and what it means for your account.

Why was the change made?

Zenodo has experienced a dramatic increase in platform traffic, driven in large part by automated traffic and AI scrapers/bots (see also our recent blog post). To ensure we continue providing a high-quality, fast, and responsive service to our research community, our team has been actively optimizing and scaling our infrastructure to cope with this high load.

Unfortunately, during one of these infrastructure scaling adjustments to our web caching, an unexpected configuration error was introduced.

What happened?

While adjusting our caching rules to better handle heavy automated traffic, we incorrectly configured the ones for the DOI badge images, visible in the record landing pages.

Instead of serving a static badge image, the caching layer inadvertently cached the active session state (anonymous or authenticated) of the user requesting it. As a result, if a subsequent user visited a record landing page that triggered that specific badge path, they were accidentally served the session of the previous user, effectively impersonating their account. In practical terms, for as long as a session was mixed up, the other person could see and do the same things the account owner could while signed-in.

Users navigating the site during these 48 hours may have experienced:

• Being suddenly logged out of their account.
• Finding themselves temporarily logged into another user's account.

User reports of unexpected account behaviour during this period confirmed our analysis of the access logs.

Impact analysis

We analysed approximately 5.8 million HTTP access log entries from our monitoring systems and cross-referenced them with every affected account.

Our findings show that the real-world impact was largely contained:

• Approximately 3,000 accounts had their session reused by a different IP address. Because a signed-in user's email address is shown in the account menu, that email address may have been visible to another person in roughly 2,200 of these cases. In a smaller subset, other account settings pages were opened, which also show full name, e-mail, affiliation, and linked accounts.
• One user accidentally modified personal information of another account. Both accounts have been fully restored, no credentials or tokens were leaked.
• One user accidentally published a record on behalf of another user due to a cached session. The issue has been solved.
• A limited number of users connected their external login to the wrong account. All wrong accounts have been unlinked.
• No users generated shared links or granted permanent unauthorized access to restricted records.
• For 221 records that have restricted files, the in-browser file preview could have been shown to another person holding the owner's session, and for some of these a preview was opened. We confirmed that none of these restricted files were downloaded.

Where we were able to follow up with the users involved, they confirmed that these actions were accidental.

Actions taken

As soon as the bug was identified, we took Zenodo offline for about 45 minutes on May 15. The faulty caching rule was completely removed and we invalidated all active user sessions, logging everyone out and immediately terminating any lingering or mixed sessions.

As a strict precautionary measure, all private access tokens created during the 48-hour incident window have been permanently revoked.

All affected users have been contacted. In line with our data-protection obligations, we assessed the incident together with our Data Protection Officer and agreed on the scope and the actions described here.

Frequently Asked Questions (FAQ)

Do I need to change my password or tokens?

No. Passwords and tokens are encrypted and are never exposed in plain text.

Why did my API/Personal Access Token stop working?

If you generated a Personal Access Token between May 13 (15:30 CEST) and May 15 (15:15 CEST), we proactively revoked it to protect your account. You simply need to go to your profile settings and generate a new token. Tokens created before or after this window are completely unaffected.

Was my restricted data accessed?

No restricted files were downloaded, which was confirmed from our access logs. For a number of records with restricted files, the in-browser preview, which shows part of a file, may have been visible to another person during the window. If you own one of these records, we have contacted you directly with the details.

I noticed a strange change on my account or a duplicate record. What should I do?

If you still see something unexpected that occurred strictly during the May 13–15 window, please contact us on support.

How do I know if I was affected?

If you were affected, we have emailed the address on your account. If you did not receive an email from us about this incident, you were not in the affected group.

We sincerely apologize for this incident and any confusion or concern it may have caused. While it is essential to adapt our infrastructure to handle modern web and AI traffic, we are reviewing our internal staging and testing procedures to ensure traffic-handling updates undergo stricter isolation rules before reaching production.

We're excited to share a new round of updates designed to improve collaboration, transparency, and usability across Zenodo and the EU Open Research Repository (EOR).

Improved record deposits

We've introduced updates to simplify the deposition and publication process:

• You can now request a storage quota increase directly during record deposition, making it easier to manage larger datasets. See the Manage storage quota documentation page for more information.
• When editing a published record and changing files, you will now see remaining days left to publish. See the Modify files after publication documentation page for more information.
• In the deposit form, the "Creators" section has been renamed to "Creators/Authors" for improved clarity when uploading datasets or publications.

Zenodo deposit form file upload section with the new quota increase feature

Enhanced commenting and discussion

When reviewing submissions, engaging with other users is now more seamless and interactive:

• The new threaded comments feature is now available, enabling to reply to specific comments in a clearer and more structured way.
• You can now include mathematical equations when writing comments.
• Each comment now has its own persistent direct link (permalink), making it easy to share and reference specific points in discussions.
• You can now attach files to each comment, such as inline images or other support material.
• From the published record landing page, the new link "View comments", in the "Communites" side panel, makes it easier to access to the submission review page.
• Community managers can now lock conversations and disable the addition of new comments, ensuring better moderation and control when needed.

Improved discovery and filtering

Finding relevant research is now faster and more intuitive. In the search page:

• The new sorting option "Most downloaded" helps finding impactful records.
• The new "Publication date" filter allows for more precise search refinement.

Zenodo search page with new publication date facet

Metadata standardization for theses and dissertations

To enhance interoperability and align with the DataCite schema, we are standardizing the resource type for theses.

We recently identified an unnecessary distinction between “Thesis” and “Dissertation” in our metadata model. The user interface will now only display "Thesis" as an option, while internally, all records will use the DataCite-compliant "Dissertation" type. Existing DOIs will be updated to reflect this change, by converting the custom metadata:

  "types": {
    "resourceType": "Thesis",
    "resourceTypeGeneral": "Text"
  }

to the standard DataCite representation:

  "types": {
    "resourceTypeGeneral": "Dissertation"
  }

For API usage, we will maintain backward compatibility. The custom value “publication-thesis” will still be accepted, but it will be automatically converted internally to “publication-dissertation”.

New integration in OpenAIRE

In OpenAIRE CONNECT and EXPLORE, you can now upload the Open Access version of a publication to Zenodo in a very easy way. To discover the feature, read the related OpenAIRE blog post.

Share your feedback

These updates are part of our ongoing commitment to support open science and foster better collaboration across the research community. We encourage you to explore these new features and continue sharing your valuable feedback!

Share your feedback: help us by answering the EU Open Research Repository (EOR) Survey! The survey is open to all Zenodo users. Your input is essential to help us better understand your needs and guide future improvements. We encourage you to take a few minutes to share your feedback and contribute to shaping the platform.

Upcoming webinar: The EOR will also be presented during OAPEN EU Project: Insights from EU-Funded Authors Webinar on Tuesday 21 April 2026, 14:00 – 15:15 CEST. Registration is open here!

Stay Connected & Informed:

• Subscribe to our newsletter.
• Explore the updated documentation pages.

Thank you for being part of Zenodo!

Over the past months, many of you have experienced periods of slowness and occasional service interruptions on Zenodo. We would like to explain the current situation and outline the steps we are taking to address it.

Increased traffic and automated access

Zenodo traffic has increased significantly, not only from human users but also from automated systems, including bots, harvesters for AI and people using AI. These systems generate a sustained and aggressive load on the platform. Many of these automated systems do not respect our rate limits and actively try to circumvent them, creating additional strain. On average, we now observe around 180 requests per second. At peak times during working hours, this can easily reach 250 requests per second and more. The current Zenodo infrastructure was designed based on the traffic patterns observed during the migration to the next-generation platform, InvenioRDM, in 2023, when the load was lower and more predictable.

This affects both browsing and file transfers, resulting in slower uploads and downloads, as well as occasional unavailability. Basic mitigation techniques such as blocking and rate limiting are no longer sufficient on their own. More advanced traffic management and protection mechanisms are required, together with infrastructure upgrades.

Planned improvements

In the coming weeks, we will progressively upgrade the platform and deploy additional mitigation measures to better handle the increased load and reduce the impact of abusive or malicious traffic. These changes will be rolled out step by step in order to preserve service continuity.

During this period, we kindly ask for your patience. At the moment, support requests related to performance issues or temporary slowness are difficult to address individually, as the root causes are already identified and are being handled at the infrastructure level.

As Zenodo grows, our support team is receiving more support requests than ever. While we work through these requests, the fastest way to find a solution is often through our Help Portal and FAQs. We've designed these resources to give you instant answers to common questions so you can get back to your research without the wait.

We will keep you informed of major developments and improvements as they are deployed.

As always, Zenodo remains committed to its core mission of supporting open science, reserving research outputs, and providing reliable access to research for the global community. Ensuring that research remains open, accessible, and reusable continues to guide our technical and operational decisions.

Thank you for your understanding and for your continued use of Zenodo.