CVE-2026-44023

Name of the Vulnerable Software and Affected Versions docling-core versions 1.5.0 through 2.74.0

Description The software does not sufficiently restrict remote request destinations and can resolve a server-provided Content-Disposition to a local path in an unsafe manner. In applications that accept untrusted URLs, this can lead to Server-Side Request Forgery (SSRF), which is a technique where an attacker forces a server to make requests to an unintended location, targeting local files outside the user-defined cache directory.

Recommendations Update to version 2.74.1 or later. As a temporary workaround, avoid passing untrusted URLs into remote fetch functionality.