CVE-2026-44520

The URLInputHandler class in docling graph/core/input/handlers.py makes HTTP requests to user-supplied URLs without validating whether the target resolves to a private, loopback, or link-local IP address. The URLValidator only checks for a valid scheme and non-empty netloc, performing no IP-level validation. Additionally, requests.head() was called with allow redirects=True, allowing an attacker to redirect requests to internal endpoints via an intermediary URL.

An attacker who can control the --source CLI argument or PipelineConfig.source API parameter can trigger Server-Side Request Forgery (SSRF) to reach:

This affects deployments where docling-graph processes URLs from untrusted input, such as multi-tenant pipelines or server-side automation.

The vulnerability is fixed in v1.5.1.

Users should upgrade immediately:

pip install --upgrade docling-graph

The fix adds IP validation via ipaddress and socket.gethostbyname() before any request is made, blocks private/loopback/link-local/reserved addresses, and disables redirect following (allow redirects=False) with explicit validation of any Location header before following it.

If upgrading is not immediately possible, ensure that all URLs passed to URLInputHandler come exclusively from trusted, internal sources, never from user-supplied or external input. There is no safe code-level workaround short of applying the patch, as the vulnerability is in the library itself.