Skip to main content

E2pdf CVE-2026-32442

| EUVDEUVD-2026-11985 MEDIUM
Missing Authorization (CWE-862)
2026-03-13 Patchstack
5.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.0 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
CVSS changed
Apr 29, 2026 - 10:22 NVD
4.3 (MEDIUM) 5.0 (MEDIUM)
EUVD ID Assigned
Mar 13, 2026 - 16:57 euvd
EUVD-2026-11985
Analysis Generated
Mar 13, 2026 - 16:57 vuln.today
CVE Published
Mar 13, 2026 - 11:42 nvd
MEDIUM 4.3

DescriptionCVE.org

Missing Authorization vulnerability in E2Pdf e2pdf e2pdf allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects e2pdf: from n/a through <= 1.28.15.

AnalysisAI

E2Pdf versions through 1.28.15 contain a missing authorization vulnerability that allows authenticated users to modify data they should not have access to due to incorrectly configured access control security levels. An attacker with low-level user privileges can exploit this via network access without user interaction to escalate their capabilities and modify unauthorized PDF-related resources. While the CVSS score of 4.3 is moderate and integrity impact is low, the vulnerability represents a classic authorization bypass that could allow privilege escalation or lateral movement within multi-user E2Pdf deployments.

Technical ContextAI

E2Pdf is a PDF generation and manipulation library/plugin commonly used in web applications and document management systems. The vulnerability stems from CWE-862 (Missing Authorization), which occurs when the application fails to properly verify that an authenticated user has the necessary permissions before allowing them to perform sensitive operations. Rather than a flaw in the underlying technology itself, this is a configuration or implementation issue where access control rules are not properly enforced at critical authorization checkpoints. The affected component involves resource-level access controls that should restrict PDF operations based on user roles or permissions, but instead allow authenticated users to perform actions outside their intended scope. This is distinct from authentication failures—the user is already authenticated—but the application fails to check whether that user should be allowed to perform the specific requested action.

RemediationAI

Immediately upgrade E2Pdf to a version newer than 1.28.15 (monitor vendor advisories for the exact patched version release). If immediate patching is not possible due to application dependencies or testing requirements, implement compensating controls by restricting network access to E2Pdf instances to trusted administrative users and IP ranges, enforcing strong authentication (multi-factor authentication for sensitive operations), and implementing audit logging on all PDF modification operations to detect unauthorized changes. Review and strengthen role-based access control (RBAC) configurations within E2Pdf to ensure granular permission enforcement at the resource level. Conduct a post-remediation audit of PDF documents modified during the vulnerability window to detect any unauthorized alterations. Subscribe to E2Pdf security announcements and maintain a documented patch management schedule for this and future library updates.

Share

CVE-2026-32442 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy