Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache PDFBox Examples.

This issue affects the
ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.36, from 3.0.0 through 3.0.7.


Users are recommended to update to version 2.0.37 or 3.0.8 once
available. Until then, they should apply the fix provided in GitHub PR
427.

The ExtractEmbeddedFiles example contained a path traversal vulnerability (CWE-22) mentioned in CVE-2026-23907. However the change in the releases 2.0.36 and 3.0.7 is flawed because it doesn't consider the file path separator. Because of that, a user having writing rights on /home/ABC could be victim to a malicious PDF resulting in a write attempt to any path starting with /home/ABC, e.g. "/home/ABCDEF".

Users who have copied this example into their production code should apply the mentioned change. The example
has been changed accordingly and is available in the project repository.
Published: 2026-04-14
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Path Traversal allowing arbitrary file write within the user’s home directory
Action: Immediate Patch
AI Analysis

Impact

The ExtractEmbeddedFiles example in Apache Software Foundation:Apache PDFBox Examples contains a path traversal flaw (CWE‑22) that lets a crafted PDF cause the code to write to unintended files. Because the example does not handle file path separators properly, an attacker can target any path beginning with the current user’s home directory prefix, creating or overwriting files and potentially exposing sensitive data or enabling further compromise.

Affected Systems

This issue affects Apache Software Foundation:Apache PDFBox Examples versions 2.0.24 through 2.0.36 and 3.0.0 through 3.0.7. Users who have incorporated this example into production code should upgrade to version 2.0.37 or 3.0.8 when released, or apply the code change from GitHub pull request 427.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, while an EPSS score below 1% reflects a low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Attackers must provide a malicious PDF to a user running the vulnerable example and require write permissions in the user's home directory. Successful exploitation would allow the attacker to create or modify files under the victim’s home directory, compromising confidentiality and integrity for that user but not affecting the entire system.

Generated by OpenCVE AI on April 14, 2026 at 21:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Apache PDFBox to version 2.0.37 or 3.0.8 when available.
  • If a newer release is not yet available, apply the patch from GitHub pull request 427 to the ExtractEmbeddedFiles example.
  • Remove or isolate the example code in production environments until a secure version is deployed.
  • Verify that any copied instances of the example reflect the latest fixed code.
  • Monitor advisories for PDFBox path traversal updates to stay ahead of potential exploitation.

Generated by OpenCVE AI on April 14, 2026 at 21:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gcj8-76p4-g2fq Apache PDFBox Examples: Path Traversal in PDFBox ExtractEmbeddedFiles Example Code
History

Mon, 20 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache pdfbox
CPEs cpe:2.3:a:apache:pdfbox:*:*:*:*:*:*:*:*
Vendors & Products Apache pdfbox

Thu, 16 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 14 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache pdfbox Examples
Vendors & Products Apache
Apache pdfbox Examples

Tue, 14 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache PDFBox Examples. This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.36, from 3.0.0 through 3.0.7. Users are recommended to update to version 2.0.37 or 3.0.8 once available. Until then, they should apply the fix provided in GitHub PR 427. The ExtractEmbeddedFiles example contained a path traversal vulnerability (CWE-22) mentioned in CVE-2026-23907. However the change in the releases 2.0.36 and 3.0.7 is flawed because it doesn't consider the file path separator. Because of that, a user having writing rights on /home/ABC could be victim to a malicious PDF resulting in a write attempt to any path starting with /home/ABC, e.g. "/home/ABCDEF". Users who have copied this example into their production code should apply the mentioned change. The example has been changed accordingly and is available in the project repository.
Title Apache PDFBox Examples: Path Traversal in PDFBox ExtractEmbeddedFiles Example Code
Weaknesses CWE-22
References

Subscriptions

Apache Pdfbox Pdfbox Examples
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-14T19:50:07.000Z

Reserved: 2026-03-24T17:06:35.279Z

Link: CVE-2026-33929

cve-icon Vulnrichment

Updated: 2026-04-14T19:49:58.797Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-14T09:16:36.297

Modified: 2026-04-20T16:58:21.073

Link: CVE-2026-33929

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-14T08:09:39Z

Links: CVE-2026-33929 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T15:30:06Z

Weaknesses