CVE-2026-44023
docling-project · docling-core
Docling Core is vulnerable to path traversal and server-side request forgery, potentially allowing unauthenticated attackers to access restricted files or perform unauthorized network requests.
Executive summary
Docling Core versions 1.5.0 through 2.74.0 contain path traversal and server-side request forgery vulnerabilities that permit unauthorized file access and network interaction.
Vulnerability
This vulnerability involves improper limitation of pathnames to restricted directories and server-side request forgery. These flaws allow unauthenticated remote attackers to interact with local files or perform requests to internal resources.
Business impact
The combination of path traversal and SSRF allows an attacker to read sensitive files from the server or probe internal network services that are otherwise protected from the public internet. This can lead to the exposure of configuration files, credentials, or internal data, resulting in a significant security breach. The CVSS score of 8.6 confirms the high severity of these combined issues.
Remediation
Immediate Action: Upgrade to docling-core version 2.74.1 or later to resolve the path traversal and SSRF flaws.
Proactive Monitoring: Audit network logs for unusual outbound connections from the server, which may indicate attempted SSRF exploitation.
Compensating Controls: Ensure the application runs with the minimum necessary filesystem permissions to limit the impact of potential path traversal attempts.
Exploitation status
Public Exploit Available: Unknown.
Analyst recommendation
Given the potential for both information disclosure and internal network reconnaissance, users of docling-core must upgrade to version 2.74.1 immediately. Failure to patch leaves the application exposed to unauthorized file access and potential lateral movement within the network.