Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
PdfDing is a selfhosted PDF manager, viewer and editor offering a seamless user experience on multiple devices. Prior to version 1.7.1, check_shared_access_allowed() validates only session existence - it does not check SharedPdf.inactive (expiration / max views) or SharedPdf.deleted. The Serve and Download endpoints rely solely on this function, allowing previously-authorized users to access shared PDF content after expiration, view limit, or soft-deletion. This issue has been patched in version 1.7.1.
AnalysisAI
PdfDing prior to version 1.7.1 permits authenticated users to bypass access controls on shared PDF documents by accessing content after expiration, view limits, or soft-deletion due to incomplete validation in the check_shared_access_allowed() function. The Serve and Download endpoints rely solely on session existence checks without verifying SharedPdf.inactive or SharedPdf.deleted flags, allowing previously-authorized users to retrieve sensitive content that should no longer be accessible. This authentication bypass affects all versions before 1.7.1 and requires valid authentication credentials to exploit.
Technical ContextAI
PdfDing implements a shared PDF access control mechanism using a check_shared_access_allowed() function that validates user authorization for downloading or viewing shared documents. The vulnerability stems from incomplete input validation (CWE-863: Incorrect Authorization) where the function only verifies session existence without consulting the SharedPdf object's state flags. Specifically, the SharedPdf.inactive field (which tracks expiration and view count limits) and SharedPdf.deleted flag (soft-delete marker) are not evaluated before granting access. The Serve and Download API endpoints directly rely on this insufficient validation function, creating a window where previously-valid access tokens remain functional despite the underlying shared resource becoming inaccessible through normal channels. This is a classic authorization bypass where authentication (session presence) succeeds, but authorization (checking resource eligibility) fails.
RemediationAI
Vendor-released patch: PdfDing version 1.7.1 and later. Upgrade immediately to version 1.7.1 or newer, which restores proper authorization checks by validating SharedPdf.inactive and SharedPdf.deleted state flags in addition to session presence. The upstream fix is confirmed in commit a6783b259b25c839c52c6f2380333827a52e89eb and released as v1.7.1 at https://github.com/mrmn2/PdfDing/releases/tag/v1.7.1. No workarounds are documented; patching is the primary remediation. If immediate patching is not feasible, restrict access to shared PDF endpoints at the network or reverse-proxy level and audit existing share links to revoke those intended for temporary access.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17636