Apache Tika server (aka tika-server) in Apache Tika 1.9 might allow remote malicious users to read arbitrary files via the HTTP fileUrl header.
apache tika 1.9