CVE-2026-44520: docling-graph has SSRF via Missing Internal IP Validation in URLInputHandler

The URLInputHandler class in docling_graph/core/input/handlers.py makes HTTP requests to user-supplied URLs without validating whether the target resolves to a private, loopback, or link-local IP address. The URLValidator only checks for a valid scheme and non-empty netloc, performing no IP-level validation. Additionally, requests.head() was called with allow_redirects=True, allowing an attacker to redirect requests to internal endpoints via an intermediary URL.

An attacker who can control the --source CLI argument or PipelineConfig.source API parameter can trigger Server-Side Request Forgery (SSRF) to reach:

• Cloud metadata endpoints (e.g. 169.254.169.254) to steal IAM credentials
• Internal services on loopback (127.0.0.1) or private network ranges (10.x, 172.16.x, 192.168.x)

This affects deployments where docling-graph processes URLs from untrusted input, such as multi-tenant pipelines or server-side automation.