Skip to main content

Docling EUVDEUVD-2026-39791

| CVE-2026-47214 HIGH
External Control of File Name or Path (CWE-73)
2026-06-03 https://github.com/docling-project/docling GHSA-q29v-xc37-wh5m
7.1
CVSS 3.1 · Vendor: https://github.com/docling-project/docling
Share

Severity by source

Vendor (https://github.com/docling-project/docling) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L

Primary rating from Vendor (https://github.com/docling-project/docling) · only source for this CVE.

CVSS VectorVendor: https://github.com/docling-project/docling

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 03, 2026 - 21:47 vuln.today
Analysis Generated
Jun 03, 2026 - 21:47 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 pypi packages depend on docling (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 2.94.0.

DescriptionCVE.org

Impact

The HTML backend did not perform sufficient validation during resource handling:

  • Accepted file:// URIs enabling local file system access when enable_local_fetch=True
  • Path resolution allowed traversal outside intended directories via ../ sequences and absolute paths
  • Did not block internal network resources under enable_remote_fetch=True
  • HTTP redirects were not validated, potentially redirecting to unintended schemes
  • No resource limits for remote image downloads and data: URIs

Patches

Fixed in versions 2.91.0 (initial fixes) and 2.94.0 (additional improvements). The fixes implement:

  • Updated local path treatment: absolute files always blocked, relative paths require enable_local_fetch=True (default: False) and containment within configured base_path for path traversal protection
  • file:// scheme stripped & treated as local path (above)
  • IP address validation to prevent SSRF
  • HTTP redirect validation, connection and read timeouts
  • Size limit for both remote images (with streaming download) and base64-decoded data URIs

Workarounds

Keep both enable_local_fetch=False and enable_remote_fetch=False (defaults) when processing untrusted HTML documents.

References

AnalysisAI

Path traversal and SSRF in Docling's HTML backend allow attackers to coerce the document processor into reading local files, contacting internal network resources, and consuming unbounded resources when a crafted HTML document is processed with non-default fetch flags enabled. The flaw affects the docling Python package prior to 2.94.0 and stems from missing validation of file:// URIs, relative/absolute paths, HTTP redirects, and download sizes; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Technical ContextAI

Docling is an IBM-originated open-source Python library (pkg:pip/docling) used to parse and convert documents (HTML, DOCX, PPTX, PDF, etc.) into structured representations, frequently embedded in document-ingestion and RAG pipelines. The vulnerable component is the HTML backend's resource resolver, which fetches images and other linked assets referenced from an input HTML document. The root cause maps to CWE-73 (External Control of File Name or Path): user-controlled URIs in HTML were passed to file and network handlers without scheme allow-listing, IP filtering, redirect validation, or size caps, simultaneously enabling local file disclosure via file:// and ../ traversal and server-side request forgery against internal IPs when enable_remote_fetch was active. The 2.91.0 and 2.94.0 fixes add absolute-path blocking, base_path containment, file:// stripping, IP address validation, redirect/timeout enforcement, and streaming size limits for remote images and data: URIs.

RemediationAI

Vendor-released patch: upgrade docling to 2.94.0 or later (pip install --upgrade 'docling>=2.94.0'); 2.91.0 contains partial fixes but 2.94.0 is required for full coverage, per the release notes at https://github.com/docling-project/docling/releases/tag/v2.91.0 and https://github.com/docling-project/docling/releases/tag/v2.94.0. If upgrading immediately is not feasible, the vendor-recommended workaround is to keep both enable_local_fetch=False and enable_remote_fetch=False (the defaults) when processing untrusted HTML, which fully neutralizes the file:// and SSRF paths at the cost of losing the ability to inline local images or follow remote image references during conversion. For pipelines that must render images, run docling inside a network-egress-restricted sandbox that denies RFC1918 destinations and local filesystem access outside a dedicated working directory, and constrain base_path to a non-sensitive scratch directory; this preserves functionality but trades operational complexity for safety. Full advisory: https://github.com/docling-project/docling/security/advisories/GHSA-q29v-xc37-wh5m.

Share

EUVD-2026-39791 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy