Skip to main content

Docling CVE-2026-44022

| EUVDEUVD-2026-39005 MEDIUM
Path Traversal (CWE-22)
2026-06-03 https://github.com/docling-project/docling GHSA-2j5p-7p5m-cvqr
5.5
CVSS 3.1 · Vendor: https://github.com/docling-project/docling
Share

Severity by source

Vendor (https://github.com/docling-project/docling) PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Primary rating from Vendor (https://github.com/docling-project/docling) · only source for this CVE.

CVSS VectorVendor: https://github.com/docling-project/docling

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 03, 2026 - 21:50 vuln.today
Analysis Generated
Jun 03, 2026 - 21:50 vuln.today

DescriptionCVE.org

Impact

The LaTeX backend's handling of \includegraphics, \input, and \include commands lacked path containment validation. Attackers could craft malicious LaTeX documents with path traversal sequences (e.g., ../../../etc/passwd) to:

  • Read arbitrary files from the file system accessible to the process
  • Include sensitive files in the converted document output
  • Potentially access configuration files, credentials, or other sensitive data

Patches

Fixed in version 2.91.0. The fix implements strict path validation using Path.resolve().is_relative_to() to ensure all resolved paths remain within the base document directory. Attempts to traverse outside the base directory are logged and blocked.

Workarounds

Avoid processing untrusted LaTeX documents. If processing is necessary, run in a sandboxed environment with restricted file system access.

References

AnalysisAI

Path traversal in Docling's LaTeX backend (pip/docling versions 2.73.0 through 2.90.x) allows an attacker who supplies a crafted LaTeX document to read arbitrary files accessible to the conversion process via the \includegraphics, \input, and \include command handlers. With a high confidentiality impact (C:H) but local attack vector and required user interaction (AV:L/UI:R per CVSS), the practical risk is concentrated in automated document-processing pipelines or services that ingest untrusted .tex files. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV. A vendor-released patch exists as of version 2.91.0.

Technical ContextAI

Docling is a Python-based document conversion library (pip/docling) that includes a LaTeX backend for processing .tex files. The backend interprets LaTeX commands including \includegraphics (for images), \input, and \include (for sub-document inclusion), all of which accept file path arguments. CWE-22 (Improper Limitation of a Pathname to a Restricted Directory - Path Traversal) describes the root cause: the backend resolved these paths without verifying the resolved canonical path remained within the base document directory. An attacker can embed sequences such as \includegraphics{../../../etc/passwd} to escape the working directory. The fix introduced in 2.91.0 applies Python's Path.resolve().is_relative_to() to canonicalize the requested path and confirm it is a descendant of the base document directory before any file access is performed, with violations logged and blocked.

RemediationAI

Upgrade docling to version 2.91.0 or later using pip install --upgrade docling. This version implements strict path containment via Path.resolve().is_relative_to() in the LaTeX macro handlers (commit 65ef180, PR #3330) and is the authoritative fix per the vendor advisory at https://github.com/docling-project/docling/security/advisories/GHSA-2j5p-7p5m-cvqr. If an immediate upgrade is not feasible, the vendor-recommended workaround is to avoid processing untrusted LaTeX documents entirely. If processing untrusted input is operationally required and patching is delayed, run the Docling process inside a sandboxed environment with filesystem access restricted to only the document working directory - for example, using Linux namespaces, Docker with a read-only rootfs and explicit volume mounts, or seccomp/AppArmor profiles that deny open() calls to sensitive filesystem paths. Note that sandboxing is a compensating control, not a substitute for patching: any misconfiguration of the sandbox boundary may leave traversal paths partially accessible.

Share

CVE-2026-44022 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy