CVE-2026-44023: Docling Core: Unsafe remote filename resolution

June 3, 2026

In versions >= 1.5.0, < 2.74.1, docling-core did not sufficiently restrict remote request destinations and could resolve a server-provided Content-Disposition to a local path in an unsafe manner.

In applications that accept untrusted URLs, this could allow SSRF attacks targeting local files outside the user-defined cache directory.

References

github.com/advisories/GHSA-jmmv-h3mp-59v8
github.com/docling-project/docling-core/releases/tag/v2.74.1
github.com/docling-project/docling-core/security/advisories/GHSA-jmmv-h3mp-59v8
nvd.nist.gov/vuln/detail/CVE-2026-44023

Code Behaviors & Features

Detect and mitigate CVE-2026-44023 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →