docling-graph CVE-2026-44520

Impact

The URLInputHandler class in docling_graph/core/input/handlers.py makes HTTP requests to user-supplied URLs without validating whether the target resolves to a private, loopback, or link-local IP address. The URLValidator only checks for a valid scheme and non-empty netloc, performing no IP-level validation. Additionally, requests.head() was called with allow_redirects=True, allowing an attacker to redirect requests to internal endpoints via an intermediary URL.

An attacker who can control the --source CLI argument or PipelineConfig.source API parameter can trigger Server-Side Request Forgery (SSRF) to reach:

• Cloud metadata endpoints (e.g. 169.254.169.254) to steal IAM credentials
• Internal services on loopback (127.0.0.1) or private network ranges (10.x, 172.16.x, 192.168.x)

This affects deployments where docling-graph processes URLs from untrusted input, such as multi-tenant pipelines or server-side automation.

Patches

The vulnerability is fixed in v1.5.1.

Users should upgrade immediately:

pip install --upgrade docling-graph

The fix adds IP validation via ipaddress and socket.gethostbyname() before any request is made, blocks private/loopback/link-local/reserved addresses, and disables redirect following (allow_redirects=False) with explicit validation of any Location header before following it.

Workarounds

If upgrading is not immediately possible, ensure that all URLs passed to URLInputHandler come exclusively from trusted, internal sources, never from user-supplied or external input. There is no safe code-level workaround short of applying the patch, as the vulnerability is in the library itself.

Resources

• CWE-918: Server-Side Request Forgery
• OWASP SSRF Prevention Cheat Sheet
• AWS Instance Metadata endpoint