Skip to main content

docling-graph CVE-2026-44520

| EUVDEUVD-2026-30340 MEDIUM
URL Redirection to Untrusted Site (Open Redirect) (CWE-601)
2026-05-07 https://github.com/docling-project/docling-graph GHSA-fqph-j6v6-jvgx
5.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.7 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 07, 2026 - 03:45 vuln.today
Analysis Generated
May 07, 2026 - 03:45 vuln.today
CVE Published
May 07, 2026 - 03:15 nvd
MEDIUM 5.7

DescriptionGitHub Advisory

Impact

The URLInputHandler class in docling_graph/core/input/handlers.py makes HTTP requests to user-supplied URLs without validating whether the target resolves to a private, loopback, or link-local IP address. The URLValidator only checks for a valid scheme and non-empty netloc, performing no IP-level validation. Additionally, requests.head() was called with allow_redirects=True, allowing an attacker to redirect requests to internal endpoints via an intermediary URL.

An attacker who can control the --source CLI argument or PipelineConfig.source API parameter can trigger Server-Side Request Forgery (SSRF) to reach:

  • Cloud metadata endpoints (e.g. 169.254.169.254) to steal IAM credentials
  • Internal services on loopback (127.0.0.1) or private network ranges (10.x, 172.16.x, 192.168.x)

This affects deployments where docling-graph processes URLs from untrusted input, such as multi-tenant pipelines or server-side automation.

Patches

The vulnerability is fixed in v1.5.1.

Users should upgrade immediately:

pip install --upgrade docling-graph

The fix adds IP validation via ipaddress and socket.gethostbyname() before any request is made, blocks private/loopback/link-local/reserved addresses, and disables redirect following (allow_redirects=False) with explicit validation of any Location header before following it.

Workarounds

If upgrading is not immediately possible, ensure that all URLs passed to URLInputHandler come exclusively from trusted, internal sources, never from user-supplied or external input. There is no safe code-level workaround short of applying the patch, as the vulnerability is in the library itself.

Resources

AnalysisAI

Server-Side Request Forgery in docling-graph versions up to 1.5.0 allows authenticated attackers with user interaction to bypass IP validation and reach private, loopback, and cloud metadata endpoints by supplying arbitrary URLs to the URLInputHandler class or via the --source CLI argument. The vulnerability combines missing internal IP address validation with unrestricted HTTP redirects (allow_redirects=True), enabling theft of cloud IAM credentials and access to internal services on 127.0.0.1, 10.x, 172.16.x, 192.168.x, and 169.254.169.254 address ranges. Vendor-released patch: v1.5.1.

Technical ContextAI

The URLInputHandler class in docling_graph/core/input/handlers.py processes user-supplied URLs but fails to validate whether HTTP requests resolve to private, loopback, link-local, or reserved IP address ranges before making requests. The URLValidator performs only superficial checks-validating scheme and non-empty netloc-without any IP-level filtering. Additionally, the requests.head() call was configured with allow_redirects=True, permitting HTTP Location header redirects to internal endpoints without validation. The root cause is CWE-918 (Server-Side Request Forgery) combined with CWE-601 (URL Redirection to Untrusted Site). The library uses the Python requests library for HTTP operations, which follows redirects by default. The fix implements IP validation using the ipaddress and socket.gethostbyname() modules to block private (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback (127.0.0.0/8), link-local (169.254.0.0/16), and reserved address ranges before any request is made, and disables automatic redirect following in favor of explicit Location header validation.

RemediationAI

Upgrade docling-graph to version 1.5.1 or later immediately via pip install --upgrade docling-graph. The patch adds IP validation using ipaddress and socket.gethostbyname() to block private (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback (127.0.0.0/8), link-local (169.254.0.0/16), and reserved address ranges before making any HTTP request, and sets allow_redirects=False with explicit Location header validation. As a temporary workaround only for environments that cannot immediately patch, restrict URL input exclusively to trusted, internal sources and never accept URLs from user-supplied or external input via CLI arguments or API parameters; however, no safe code-level workaround exists within the vulnerable library version itself. Monitor container registries and dependency management systems to ensure all instances of docling-graph are updated. Review logs for any historical requests to IP ranges 127.0.x.x, 169.254.x.x, 10.x.x.x, 172.16-31.x.x, or 192.168.x.x to identify potential exploitation.

CVE-2017-1000117 HIGH POC
8.8 Oct 05

A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca

CVE-2024-52875 HIGH POC
8.8 Jan 31

GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of

CVE-2016-5385 HIGH POC
8.1 Jul 19

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect

CVE-2013-2248 MEDIUM POC
5.8 Jul 20

Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to

CVE-2012-6499 MEDIUM POC
5.8 Jan 12

Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows

CVE-2015-2863 MEDIUM POC
4.3 Jul 20

Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b

CVE-2017-3528 MEDIUM POC
5.4 Apr 24

Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li

CVE-2012-0518 MEDIUM
4.7 Oct 16

Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3

CVE-2024-21641 MEDIUM POC
6.5 Jan 05

Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp

CVE-2015-5354 MEDIUM POC
5.8 Jul 01

Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites

CVE-2015-5461 MEDIUM POC
6.4 Jul 08

Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for

CVE-2024-22891 CRITICAL POC
9.8 Mar 01

Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit

Share

CVE-2026-44520 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy