Top/Articles/Document-to-AI tool Docling hit by a string of flaws: crafted documents or URLs can leak internal information β€” CVE-2026-44023 and 7 more, update now
docling-cve-cover-en

Document-to-AI tool Docling hit by a string of flaws: crafted documents or URLs can leak internal information β€” CVE-2026-44023 and 7 more, update now

Docling, a popular tool for feeding PDFs and Word files into AI, has eight flaws led by CVE-2026-44023 (severity 8.6) that can be used to steal internal files and information via crafted documents or URLs. They include SSRF and XXE and affect setups that process untrusted data. Updating docling-core to 2.74.1 and the main docling to 2.94.0 or later fixes them. No real-world attacks confirmed.

NewsPublished July 17, 2026 Updated today
Table of contents
Key takeaways

Docling, a popular tool for feeding PDFs and Word files into AI, has eight flaws led by CVE-2026-44023 (severity 8.6) that can be used to steal internal files and information via crafted documents or URLs. They include SSRF and XXE and affect setups that process untrusted data. Updating docling-core to 2.74.1 and the main docling to 2.94.0 or later fixes them. No real-world attacks confirmed.

A string of flaws that can be used to steal internal information via crafted documents or URLs has been found in "Docling," a popular tool for feeding documents like PDF, Word, and PowerPoint into generative AI. The centerpiece is CVE-2026-44023 at CVSS 8.6, and together with related flaws, eight in total were disclosed at once. Their severities all fall in the 5.5–8.6 range on the CVSS scale (out of 10).

Docling is open source published by IBM's research division. It parses documents in various formats and shapes them into a form that is easy for AI to handle β€” the "prep work." It is widely used in setups where generative AI answers from your own materials (RAG), with a GitHub star count (a gauge of popularity) above 42,000 and about 1.5 million monthly downloads on the Python package registry. It is one of the staple components in AI development.

Broadly, these flaws mean that "if malice is planted in the documents or URLs you have Docling read, files inside the server that should be off-limits, or information that must not leave, can be read out." Since fixed versions have already been released for all of them, the remedy is simply to update. We explain what happens, which flaw is how dangerous, and which version to move to β€” in order. Tools that have AI read external data being used as a stepping stone keeps happening, such as the case where Repomix, a tool that hands code to AI, could be abused to leak internal information.

What happens

In one sentence: when Docling reads a document, image, or URL, it did not sufficiently verify the "source it fetches from" or the "filename." An attacker exploits this laxness to make the server running Docling read files in places it should not reach, or send requests on its behalf toward the internal network. As a result, configuration files, credentials, and internal cloud information can leak out. The main flaws disclosed this time are as follows.

CVE IDAffectedFlaw typeSeverityFixed in
CVE-2026-44023docling-coreFetch abuse (SSRF) +
file read-out
8.6 (High)2.74.1
CVE-2026-44016doclingCode execution / SSRF
in HTML rendering
8.2 (High)2.91.0
CVE-2026-44019docling-coreImproper validation of
image reference URIs
8.1 (High)2.74.1
CVE-2026-44020doclingXXE in patent XML
parsing
7.5 (High)*2.91.0
CVE-2026-44017doclingUnsafe write on OCR
model download (Zip Slip)
7.5 (High)2.91.0
CVE-2026-47214doclingUnsafe URI/path handling
in HTML processing
7.1 (High)2.94.0
CVE-2026-44018doclingXXE + decompression
bomb in XML parsing
5.5 (Moderate)2.91.0
CVE-2026-44022doclingFile read-out via
LaTeX parsing
5.5 (Moderate)2.91.0

"docling-core" is Docling's core component, and "docling" is the main body that reads documents; both are distributed as Python packages. Note that CVE-2026-44020's severity ranges widely from 7.5 to 9.4 depending on the rating organization. What they all share is that the danger arises when you have Docling process "untrusted documents or URLs."

Who targets this, and why

The party that can exploit these is an attacker who can send crafted data into a system that has Docling read user-uploaded documents or externally specified URLs as-is (such as a RAG or document-conversion service). No login or special privileges are needed; the attacker only has to pose as an ordinary user and get a trap-laden file or link processed.

What that attacker does is make the server running Docling read out internal files, or send requests toward the internal network on its behalf, and pull out information that must not leave. Concretely, the targets are the server's configuration files and keys, internal cloud information, and the like. What was meant to be just "reading a document" becomes, behind the scenes, a peek into the inside of the server.

The damage is not only the service operator's problem. Stolen keys and internal information can also be used against the data of end users of that service, or to break into other connected systems. Components that have AI read external data tend to make that very "reading" action the entry point for attacks; as with the case where the AI training-data platform Feast saw a run of no-authentication flaws, the same kind of problem is reported repeatedly in the foundations of AI development.

Breakdown of the main flaws (most severe first)

CVE-2026-44023: Improper validation of fetch source and filename (docling-core, 8.6)

This is the most severe flaw this time. When docling-core fetches data from an external URL, it trusted the "filename" information returned by the other server without validation. If an attacker's server returns a path like ../../../../etc/passwd, it can be made to read, write, or reference files inside the server beyond the intended save location, leading to theft of internal information. The official advisory notes it is fixed in 2.74.1.

CVE-2026-44016: Code execution in the HTML rendering feature (docling, 8.2)

If the feature that renders HTML documents as images (using a component called Playwright) is enabled, crafted HTML could lead to code execution on the server or requests sent toward internal destinations. This rendering feature is disabled by default, so setups that explicitly enable it are affected. Fixed in docling 2.91.0.

CVE-2026-44019: Improper validation of image reference URIs (docling-core, 8.1)

A flaw where special specifiers like file:/// and data: in a document's image references were not sufficiently validated. Abusing it leads to local file read-out or excessive processing. This too is fixed in docling-core 2.74.1.

CVE-2026-44020: XXE in patent XML parsing (docling, 7.5–9.4)

The routine that reads patent-document (USPTO format) XML had a classic flaw called XML external entity injection (XXE). Crafted XML allows things like reading files inside the server. Severity ratings range from 7.5 to 9.4 across organizations. Fixed in docling 2.91.0.

CVE-2026-47214: Unsafe URI/path handling in HTML processing (docling, 7.1)

In the backend that reads HTML, handling of URIs and paths including file:// was unsafe, leading to local file references, internal-destination requests, and redirect abuse. This one is ultimately fixed in docling 2.94.0, so the update target becomes 2.94.0 or later.

CVE-2026-44017: Unsafe write on OCR model download (docling, 7.5)

When downloading and extracting a model for character recognition (OCR), a crafted path inside the archive could make it write files to unintended locations β€” a flaw known as "Zip Slip." Fixed in docling 2.91.0.

Beyond these, there is CVE-2026-44018 (Moderate, fixed in 2.91.0), combining XML external entity injection with excessive decompression, and CVE-2026-44022 (Moderate, fixed in 2.91.0), which can read out other files via LaTeX document parsing. Also, from a different time frame, docling-core had CVE-2026-24009 (fixed in 2.48.4), which can execute code by abusing config-file loading β€” so it is safest to move to the latest version across the board.

Affected versions and fixes

The remedy is simply to update the component you use to the fixed version below or later. Whether you use Docling directly or through the inside of another tool, check the version of each component. The fixes are officially released.

Component (package)AffectedUpdate target
docling-corebelow 2.74.12.74.1 or later
docling (main)below 2.91.0
(CVE-2026-47214: below 2.94.0)
2.94.0 or later
(latest is safest)

Most of docling's issues are fixed in 2.91.0, but CVE-2026-47214 alone is addressed in 2.94.0, so to make everything safe at once, moving to 2.94.0 or later (ideally the latest) is the sure route. As of now, there is no evidence that these are listed in the U.S. CISA catalog of vulnerabilities known to be actively exploited (KEV), and no real-world attacks have been confirmed. Even so, because usage is broad, updating early is safest.

What to do right now

First, confirm whether your project uses docling or docling-core. If you are building a RAG or document-search system, it may be loaded inside another library without your noticing. If you use it, updating to the fixed version in the table above or later is the basic remedy. Through Python's dependency management, it is safest to update it including anything pulled in indirectly.

If you cannot update right away, switching to an operation that does not have Docling process "untrusted URLs" or "documents of unknown origin" is your interim defense. In particular, setups that explicitly enable external URL fetching or the HTML rendering feature more easily meet the preconditions for exploitation, so take care. It also helps to grasp which open-source components you use and what data they pull in from outside as preparation against such flaws. The habit of checking your dependencies is useful. In AI development tools, serious flaws keep coming β€” as with the case where the automation tool PraisonAI had a severity-10.0 takeover reported β€” so making component updates a habit is the surest shortcut.

Bottom line

In Docling, the popular tool for feeding documents into AI, flaws that can be used to steal internal files and information via crafted documents or URLs were disclosed together β€” eight in total, led by CVE-2026-44023 (severity 8.6). All of them arise in setups that have Docling process untrusted data, and if successful, they lead to leakage of information inside the server.

The remedy is simple: update docling-core to 2.74.1 or later and docling itself to 2.94.0 or later. No real-world attacks have been confirmed yet, and they are not in KEV, but because usage is broad and the methods are easy to grasp, it is wise not to defer the update. Check by dependency so you do not miss cases where it is pulled in indirectly. We will add to this article as new information or attacks are confirmed.

Sources

avatar-m-1

Makoto Horikawa

Backend Engineer / AWS / Django