Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
6DescriptionGitHub Advisory
PdfDing is a selfhosted PDF manager, viewer and editor offering a seamless user experience on multiple devices. Prior to version 1.7.0, an access-control vulnerability allows unauthenticated users to retrieve password-protected shared PDFs by directly calling the file-serving endpoint without completing the password verification flow. This results in unauthorized access to confidential documents that users expected to be protected by a shared-link password. This issue has been patched in version 1.7.0.
AnalysisAI
Unauthorized access to password-protected PDFs in PdfDing versions prior to 1.7.0 allows unauthenticated remote attackers to bypass shared-link password verification and retrieve confidential documents via direct file-serving endpoint calls. The vulnerability (CWE-863: Incorrect Authorization) has CVSS 7.5 (High) severity with network attack vector requiring no privileges or user interaction. EPSS data not available; no evidence of active exploitation (not in CISA KEV). Publicly available exploit code exists via GitHub commit demonstrating the bypass mechanism. Vendor-released patch available in version 1.7.0.
Technical ContextAI
PdfDing (CPE: cpe:2.3:a:mrmn2:pdfding) is a self-hosted PDF management platform with document sharing capabilities. This vulnerability stems from CWE-863 (Incorrect Authorization), where the application implements a two-step access control pattern: password verification followed by file retrieval. The flaw occurs because the file-serving endpoint fails to validate whether a user successfully completed the password verification step before serving protected content. An attacker can identify the direct file URL structure and request password-protected shared PDFs by calling the file-serving endpoint directly, completely bypassing the password gate. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates this is exploitable remotely with low complexity, requiring no authentication or user interaction, resulting in high confidentiality impact. The vulnerability affects the core authorization logic rather than authentication mechanisms, allowing complete circumvention of the intended access control for shared documents.
RemediationAI
Immediately upgrade to PdfDing version 1.7.0 or later, which contains the authorization fix implemented in commit ae579ea98c5603d1435e0d90e81d72151564098a and released at https://github.com/mrmn2/PdfDing/releases/tag/v1.7.0. Review access logs for the file-serving endpoint to identify potential unauthorized access attempts to password-protected PDFs prior to patching, focusing on requests that bypassed the password verification flow. The vendor's security advisory (https://github.com/mrmn2/PdfDing/security/advisories/GHSA-42x7-vvj4-4cj3) and pull request #294 (https://github.com/mrmn2/PdfDing/pull/294) provide technical details on the fix implementation. If immediate patching is not feasible, consider temporarily disabling password-protected sharing features or restricting network access to PdfDing instances to trusted IP ranges until the upgrade can be completed. No effective workaround exists that maintains functionality while preventing the bypass, making version upgrade the only complete mitigation.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17981