CVE-2026-44023

docling-project · docling-core

Docling Core is vulnerable to path traversal and server-side request forgery, potentially allowing unauthenticated attackers to access restricted files or perform unauthorized network requests.

Executive summary

Docling Core versions 1.5.0 through 2.74.0 contain path traversal and server-side request forgery vulnerabilities that permit unauthorized file access and network interaction.

Vulnerability

This vulnerability involves improper limitation of pathnames to restricted directories and server-side request forgery. These flaws allow unauthenticated remote attackers to interact with local files or perform requests to internal resources.

Business impact

The combination of path traversal and SSRF allows an attacker to read sensitive files from the server or probe internal network services that are otherwise protected from the public internet. This can lead to the exposure of configuration files, credentials, or internal data, resulting in a significant security breach. The CVSS score of 8.6 confirms the high severity of these combined issues.

Remediation

Immediate Action: Upgrade to docling-core version 2.74.1 or later to resolve the path traversal and SSRF flaws.

Proactive Monitoring: Audit network logs for unusual outbound connections from the server, which may indicate attempted SSRF exploitation.

Compensating Controls: Ensure the application runs with the minimum necessary filesystem permissions to limit the impact of potential path traversal attempts.

Exploitation status

Public Exploit Available: Unknown.

Analyst recommendation

Given the potential for both information disclosure and internal network reconnaissance, users of docling-core must upgrade to version 2.74.1 immediately. Failure to patch leaves the application exposed to unauthorized file access and potential lateral movement within the network.