Skip to main content

Pdfding CVE-2026-34586

| EUVDEUVD-2026-17636 MEDIUM
Incorrect Authorization (CWE-863)
2026-03-31 GitHub_M
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
1.7.1
EUVD ID Assigned
Mar 31, 2026 - 21:14 euvd
EUVD-2026-17636
Analysis Generated
Mar 31, 2026 - 21:14 vuln.today
CVE Published
Mar 31, 2026 - 20:27 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

PdfDing is a selfhosted PDF manager, viewer and editor offering a seamless user experience on multiple devices. Prior to version 1.7.1, check_shared_access_allowed() validates only session existence - it does not check SharedPdf.inactive (expiration / max views) or SharedPdf.deleted. The Serve and Download endpoints rely solely on this function, allowing previously-authorized users to access shared PDF content after expiration, view limit, or soft-deletion. This issue has been patched in version 1.7.1.

AnalysisAI

PdfDing prior to version 1.7.1 permits authenticated users to bypass access controls on shared PDF documents by accessing content after expiration, view limits, or soft-deletion due to incomplete validation in the check_shared_access_allowed() function. The Serve and Download endpoints rely solely on session existence checks without verifying SharedPdf.inactive or SharedPdf.deleted flags, allowing previously-authorized users to retrieve sensitive content that should no longer be accessible. This authentication bypass affects all versions before 1.7.1 and requires valid authentication credentials to exploit.

Technical ContextAI

PdfDing implements a shared PDF access control mechanism using a check_shared_access_allowed() function that validates user authorization for downloading or viewing shared documents. The vulnerability stems from incomplete input validation (CWE-863: Incorrect Authorization) where the function only verifies session existence without consulting the SharedPdf object's state flags. Specifically, the SharedPdf.inactive field (which tracks expiration and view count limits) and SharedPdf.deleted flag (soft-delete marker) are not evaluated before granting access. The Serve and Download API endpoints directly rely on this insufficient validation function, creating a window where previously-valid access tokens remain functional despite the underlying shared resource becoming inaccessible through normal channels. This is a classic authorization bypass where authentication (session presence) succeeds, but authorization (checking resource eligibility) fails.

RemediationAI

Vendor-released patch: PdfDing version 1.7.1 and later. Upgrade immediately to version 1.7.1 or newer, which restores proper authorization checks by validating SharedPdf.inactive and SharedPdf.deleted state flags in addition to session presence. The upstream fix is confirmed in commit a6783b259b25c839c52c6f2380333827a52e89eb and released as v1.7.1 at https://github.com/mrmn2/PdfDing/releases/tag/v1.7.1. No workarounds are documented; patching is the primary remediation. If immediate patching is not feasible, restrict access to shared PDF endpoints at the network or reverse-proxy level and audit existing share links to revoke those intended for temporary access.

Share

CVE-2026-34586 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy