Skip to main content

Pdfding CVE-2026-34376

| EUVDEUVD-2026-17981 HIGH
Incorrect Authorization (CWE-863)
2026-04-01 GitHub_M
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:09 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.7.0
EUVD ID Assigned
Apr 01, 2026 - 17:30 euvd
EUVD-2026-17981
Analysis Generated
Apr 01, 2026 - 17:30 vuln.today
CVE Published
Apr 01, 2026 - 17:05 nvd
HIGH 7.5

DescriptionGitHub Advisory

PdfDing is a selfhosted PDF manager, viewer and editor offering a seamless user experience on multiple devices. Prior to version 1.7.0, an access-control vulnerability allows unauthenticated users to retrieve password-protected shared PDFs by directly calling the file-serving endpoint without completing the password verification flow. This results in unauthorized access to confidential documents that users expected to be protected by a shared-link password. This issue has been patched in version 1.7.0.

AnalysisAI

Unauthorized access to password-protected PDFs in PdfDing versions prior to 1.7.0 allows unauthenticated remote attackers to bypass shared-link password verification and retrieve confidential documents via direct file-serving endpoint calls. The vulnerability (CWE-863: Incorrect Authorization) has CVSS 7.5 (High) severity with network attack vector requiring no privileges or user interaction. EPSS data not available; no evidence of active exploitation (not in CISA KEV). Publicly available exploit code exists via GitHub commit demonstrating the bypass mechanism. Vendor-released patch available in version 1.7.0.

Technical ContextAI

PdfDing (CPE: cpe:2.3:a:mrmn2:pdfding) is a self-hosted PDF management platform with document sharing capabilities. This vulnerability stems from CWE-863 (Incorrect Authorization), where the application implements a two-step access control pattern: password verification followed by file retrieval. The flaw occurs because the file-serving endpoint fails to validate whether a user successfully completed the password verification step before serving protected content. An attacker can identify the direct file URL structure and request password-protected shared PDFs by calling the file-serving endpoint directly, completely bypassing the password gate. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates this is exploitable remotely with low complexity, requiring no authentication or user interaction, resulting in high confidentiality impact. The vulnerability affects the core authorization logic rather than authentication mechanisms, allowing complete circumvention of the intended access control for shared documents.

RemediationAI

Immediately upgrade to PdfDing version 1.7.0 or later, which contains the authorization fix implemented in commit ae579ea98c5603d1435e0d90e81d72151564098a and released at https://github.com/mrmn2/PdfDing/releases/tag/v1.7.0. Review access logs for the file-serving endpoint to identify potential unauthorized access attempts to password-protected PDFs prior to patching, focusing on requests that bypassed the password verification flow. The vendor's security advisory (https://github.com/mrmn2/PdfDing/security/advisories/GHSA-42x7-vvj4-4cj3) and pull request #294 (https://github.com/mrmn2/PdfDing/pull/294) provide technical details on the fix implementation. If immediate patching is not feasible, consider temporarily disabling password-protected sharing features or restricting network access to PdfDing instances to trusted IP ranges until the upgrade can be completed. No effective workaround exists that maintains functionality while preventing the bypass, making version upgrade the only complete mitigation.

Share

CVE-2026-34376 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy