CVE-2026-44019
docling-project · docling-core
Docling Core is vulnerable to path traversal and resource exhaustion due to improper handling of external file names and uncontrolled resource consumption.
Executive summary
A high-severity vulnerability in docling-core allows unauthenticated attackers to trigger unauthorized file access and resource exhaustion, posing a significant risk to system stability and data confidentiality.
Vulnerability
This vulnerability involves improper input validation leading to external control of file paths (CWE-73) and uncontrolled resource consumption (CWE-400). The attack vector is network-based and does not require authentication, though it does require user interaction.
Business impact
The exploitation of these flaws could lead to unauthorized information disclosure or a denial of service condition. Given the CVSS score of 8.1, the risk is classified as high, as an attacker could potentially crash the document processing service or read sensitive files from the underlying server.
Remediation
Immediate Action: Update docling-core to version 2.74.1 or later to incorporate the necessary security patches.
Proactive Monitoring: Monitor system resource usage, specifically CPU and memory spikes, and review application access logs for unusual file path patterns.
Compensating Controls: Deploy a Web Application Firewall (WAF) to filter malicious requests that attempt to traverse directories or flood the application with excessive processing tasks.
Exploitation status
Public Exploit Available: No (exploit_available: false)
Analyst recommendation
The severity of this issue necessitates an immediate upgrade to the patched version. Organizations should prioritize patching to prevent potential service degradation and unauthorized data access.