PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44023 docling-project CVE debrief

CVE-2026-44023 is a Server-Side Request Forgery (SSRF) vulnerability in Docling Core, a document processing application component. Versions 1.5.0 and above, prior to 2.74.1, are affected. The vulnerability allows attackers to access local files outside the user-defined cache directory by manipulating the Content-Disposition header. This issue has been fixed in version 2.74.1.

Vendor
docling-project
Product
docling-core
CVSS
HIGH 8.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

Developers and administrators using Docling Core versions 1.5.0 through 2.74.0 should prioritize upgrading to version 2.74.1 to mitigate this SSRF vulnerability. Applications accepting untrusted URLs are particularly at risk.

Technical summary

The Docling Core library, which defines core data types and transformations for the document processing application Docling, did not sufficiently restrict remote request destinations. This flaw could allow an attacker to resolve a server-provided Content-Disposition to a local path in an unsafe manner, potentially leading to SSRF attacks that access local files outside the user-defined cache directory. The vulnerability is characterized by the following CVSS metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L, with a CVSS score of 8.6, indicating a High severity.

Defensive priority

High priority should be given to upgrading Docling Core to version 2.74.1 or later. In the meantime, restricting the acceptance of untrusted URLs and implementing additional security measures to monitor and limit requests to sensitive local resources can help mitigate the risk.

Recommended defensive actions

  • Upgrade Docling Core to version 2.74.1 or later.
  • Restrict the acceptance of untrusted URLs in applications using affected versions of Docling Core.
  • Implement additional security measures to monitor and limit requests to sensitive local resources.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.

Evidence notes

The CVE record was published on 2026-07-16T21:17:21.123Z and has not been modified since then. The NVD entry is currently being reviewed. To verify the vulnerability, defenders should check the official CVE record and NVD detail page for CVE-2026-44023. The vulnerability affects Docling Core versions 1.5.0 and above, prior to 2.74.1. Evidence limits suggest that the vulnerability could allow SSRF attacks targeting local files outside the user-defined cache directory. Further verification is needed to confirm affected scope and severity.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T21:17:21.123Z and has not been modified since then.