Skip to main content

Docling CVE-2026-44018

| EUVDEUVD-2026-39790 HIGH
Improper Handling of Highly Compressed Data (Data Amplification) (CWE-409)
2026-06-03 https://github.com/docling-project/docling GHSA-r3xg-rg9j-67fv
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
vuln.today AI
7.1 HIGH

Malicious input must be processed locally (AV:L, UI:R) with no privileges (PR:N); XXE yields high file-read confidentiality (C:H) and bombs cause DoS (A:H), with no integrity impact (I:N).

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Updated
Jun 27, 2026 - 20:43 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 27, 2026 - 20:43 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 27, 2026 - 20:37 vuln.today
cvss_changed
Severity Changed
Jun 27, 2026 - 20:37 NVD
MEDIUM HIGH
CVSS changed
Jun 27, 2026 - 20:37 NVD
5.5 (MEDIUM) 7.1 (HIGH)
Source Code Evidence Fetched
Jun 03, 2026 - 21:51 vuln.today
Analysis Generated
Jun 03, 2026 - 21:51 vuln.today

DescriptionNVD

Impact

The METS-GBS backend's XML parsing and the input document format detection lacked security controls, enabling:

  • XML External Entity (XXE) attacks to read local files or cause denial of service
  • Decompression bombs (zip bombs) to exhaust memory and disk space
  • Unbounded archive extraction consuming system resources

An attacker could craft malicious METS-GBS archives that, when processed, could read sensitive files, exhaust system resources, or cause application crashes.

Patches

Fixed in version 2.91.0. The fix implements:

  • Secure XML parsing with resolve_entities=False, load_dtd=False, and no_network=True
  • Configurable limits: 300 MB total extraction size, 10 MB per file, 1000 member count
  • Cumulative size tracking across all extractions
  • Early termination when limits are exceeded
  • Secure format detection of METS-GBS tar archives with _detect_mets_gbs() method: maximum file size (10 MB per file), maximum member count (1000 members), and exception handling to gracefully fail when limits are exceeded

Workarounds

Avoid processing METS-GBS archives from untrusted sources. If necessary, pre-validate archives in an isolated environment with resource limits.

References

AnalysisAI

Local file disclosure and denial of service in the Docling document-conversion library (Python pip package, versions 2.45.0 up to 2.91.0) stem from its METS-GBS backend parsing XML and extracting archives without security controls. A maliciously crafted METS-GBS archive processed by Docling can trigger XML External Entity (XXE) resolution to read sensitive local files, or use decompression/zip bombs and unbounded tar extraction to exhaust memory and disk. EPSS is very low (0.01%, 3rd percentile) and there is no public exploit identified at time of analysis; exploitation requires a victim application to process attacker-supplied input.

Technical ContextAI

Docling is a popular open-source Python library (distributed as pkg:pip/docling) used to parse and convert documents - increasingly in RAG and LLM ingestion pipelines. The flaw lives in the METS-GBS backend, which handles METS-GBS tar archives (a METS-based packaging format for digitized books/Google Books-style content). Two root causes combine: an unsafe XML parser that resolved external entities and DTDs (classic XXE) and an archive extractor with no size/member limits. The assigned CWE-409 (Improper Handling of Highly Compressed Data / decompression bomb) captures the resource-exhaustion half; the advisory and tags also explicitly cite XXE, which is a CWE-611 class issue. The fix in 2.91.0 hardens XML parsing with resolve_entities=False, load_dtd=False, and no_network=True, and adds a _detect_mets_gbs() detector plus extraction limits (300 MB total, 10 MB per file, 1000 members) with cumulative tracking and early termination.

RemediationAI

Vendor-released patch: 2.91.0 - upgrade docling to 2.91.0 or later (pip install --upgrade 'docling>=2.91.0'), which enforces secure XML parsing (resolve_entities=False, load_dtd=False, no_network=True) and extraction limits (300 MB total, 10 MB per file, 1000 members). If you cannot upgrade immediately, the vendor workaround is to avoid processing METS-GBS archives from untrusted sources; where such processing is required, pre-validate archives in an isolated sandbox with strict CPU, memory, and disk quotas (the trade-off is added pipeline latency and operational overhead) and disable or gate the METS-GBS ingestion path so only trusted, size-bounded inputs reach the backend. See the advisory https://github.com/docling-project/docling/security/advisories/GHSA-r3xg-rg9j-67fv and release notes https://github.com/docling-project/docling/releases/tag/v2.91.0 (fix PR #3336, commit c1dbac2).

Share

CVE-2026-44018 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy