GHSA-FQPH-J6V6-JVGX
Vulnerability from github – Published: 2026-05-07 03:15 – Updated: 2026-05-14 20:54Impact
The URLInputHandler class in docling_graph/core/input/handlers.py makes HTTP requests to user-supplied URLs without validating whether the target resolves to a private, loopback, or link-local IP address. The URLValidator only checks for a valid scheme and non-empty netloc, performing no IP-level validation. Additionally, requests.head() was called with allow_redirects=True, allowing an attacker to redirect requests to internal endpoints via an intermediary URL.
An attacker who can control the --source CLI argument or PipelineConfig.source API parameter can trigger Server-Side Request Forgery (SSRF) to reach:
- Cloud metadata endpoints (e.g. 169.254.169.254) to steal IAM credentials
- Internal services on loopback (127.0.0.1) or private network ranges (10.x, 172.16.x, 192.168.x)
This affects deployments where docling-graph processes URLs from untrusted input, such as multi-tenant pipelines or server-side automation.
Patches
The vulnerability is fixed in v1.5.1.
Users should upgrade immediately:
pip install --upgrade docling-graph
The fix adds IP validation via ipaddress and socket.gethostbyname() before any request is made, blocks private/loopback/link-local/reserved addresses, and disables redirect following (allow_redirects=False) with explicit validation of any Location header before following it.
Workarounds
If upgrading is not immediately possible, ensure that all URLs passed to URLInputHandler come exclusively from trusted, internal sources, never from user-supplied or external input. There is no safe code-level workaround short of applying the patch, as the vulnerability is in the library itself.
Resources
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.5.0"
},
"package": {
"ecosystem": "PyPI",
"name": "docling-graph"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44520"
],
"database_specific": {
"cwe_ids": [
"CWE-601",
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-07T03:15:46Z",
"nvd_published_at": "2026-05-14T18:16:50Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nThe `URLInputHandler` class in `docling_graph/core/input/handlers.py` makes HTTP requests to user-supplied URLs without validating whether the target resolves to a private, loopback, or link-local IP address. The `URLValidator` only checks for a valid scheme and non-empty `netloc`, performing no IP-level validation. Additionally, `requests.head()` was called with `allow_redirects=True`, allowing an attacker to redirect requests to internal endpoints via an intermediary URL.\n\nAn attacker who can control the `--source` CLI argument or `PipelineConfig.source` API parameter can trigger Server-Side Request Forgery (SSRF) to reach:\n- Cloud metadata endpoints (e.g. `169.254.169.254`) to steal IAM credentials\n- Internal services on loopback (`127.0.0.1`) or private network ranges (`10.x`, `172.16.x`, `192.168.x`)\n\nThis affects deployments where `docling-graph` processes URLs from untrusted input, such as multi-tenant pipelines or server-side automation.\n\n### Patches\n\nThe vulnerability is fixed in **v1.5.1**.\n\nUsers should upgrade immediately:\n```\npip install --upgrade docling-graph\n```\n\nThe fix adds IP validation via `ipaddress` and `socket.gethostbyname()` before any request is made, blocks private/loopback/link-local/reserved addresses, and disables redirect following (`allow_redirects=False`) with explicit validation of any `Location` header before following it.\n\n### Workarounds\n\nIf upgrading is not immediately possible, ensure that **all URLs passed to `URLInputHandler` come exclusively from trusted, internal sources**, never from user-supplied or external input. There is no safe code-level workaround short of applying the patch, as the vulnerability is in the library itself.\n\n### Resources\n\n- [CWE-918: Server-Side Request Forgery](https://cwe.mitre.org/data/definitions/918.html)\n- [OWASP SSRF Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n- [AWS Instance Metadata endpoint](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html)",
"id": "GHSA-fqph-j6v6-jvgx",
"modified": "2026-05-14T20:54:24Z",
"published": "2026-05-07T03:15:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/docling-project/docling-graph/security/advisories/GHSA-fqph-j6v6-jvgx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44520"
},
{
"type": "WEB",
"url": "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/docling-project/docling-graph"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "docling-graph has SSRF via Missing Internal IP Validation in URLInputHandler"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.