Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache PDFBox Examples.

This issue affects the
ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.36, from 3.0.0 through 3.0.7.


Users are recommended to update to version 2.0.37 or 3.0.8 once
available. Until then, they should apply the fix provided in GitHub PR
427.

The ExtractEmbeddedFiles example contained a path traversal vulnerability (CWE-22) mentioned in CVE-2026-23907. However the change in the releases 2.0.36 and 3.0.7 is flawed because it doesn't consider the file path separator. Because of that, a user having writing rights on /home/ABC could be victim to a malicious PDF resulting in a write attempt to any path starting with /home/ABC, e.g. "/home/ABCDEF".

Users who have copied this example into their production code should apply the mentioned change. The example
has been changed accordingly and is available in the project repository.
Published: 2026-04-14
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Path traversal leading to arbitrary file write
Action: Immediate update
AI Analysis

Impact

Improper limitation of a pathname to a restricted directory has been found in the ExtractEmbeddedFiles example of Apache PDFBox. The flaw allows a malicious PDF file to direct the example code to write to any location that begins with the user’s home directory, such as /home/ABCDEF when the example runs with writing rights on /home/ABC. This can result in the creation or modification of files outside the intended sandbox, compromising confidentiality, integrity, or availability.

Affected Systems

The issue affects users who have incorporated the ExtractEmbeddedFiles example from Apache PDFBox. Apache PDFBox Versions 2.0.24 through 2.0.36 and 3.0.0 through 3.0.7 are impacted. The example is maintained by the Apache Software Foundation under the PDFBox Examples project.

Risk and Exploitability

The CVSS score is not provided, but the vulnerability is a typical CWE-22 path traversal that permits arbitrary file write when the example runs with file‑system write permissions. The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is a local user running the example or a service that incorporates the example in its code base. Exploit would require a crafted PDF containing a malicious embedded file name that attempts to climb out of the expected directory.

Generated by OpenCVE AI on April 14, 2026 at 09:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to Apache PDFBox 2.0.37 or 3.0.8 once released.
  • If an update is not yet available, apply the fix from GitHub pull request 427 to the example code.
  • Replace any local copy of the ExtractEmbeddedFiles example with the corrected version from the repository.
  • Verify that the application only accesses files within intended directories and adjust file‑system permissions to restrict the example’s write scope.

Generated by OpenCVE AI on April 14, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gcj8-76p4-g2fq Apache PDFBox Examples: Path Traversal in PDFBox ExtractEmbeddedFiles Example Code
History

Tue, 14 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache pdfbox Examples
Vendors & Products Apache
Apache pdfbox Examples

Tue, 14 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache PDFBox Examples. This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.36, from 3.0.0 through 3.0.7. Users are recommended to update to version 2.0.37 or 3.0.8 once available. Until then, they should apply the fix provided in GitHub PR 427. The ExtractEmbeddedFiles example contained a path traversal vulnerability (CWE-22) mentioned in CVE-2026-23907. However the change in the releases 2.0.36 and 3.0.7 is flawed because it doesn't consider the file path separator. Because of that, a user having writing rights on /home/ABC could be victim to a malicious PDF resulting in a write attempt to any path starting with /home/ABC, e.g. "/home/ABCDEF". Users who have copied this example into their production code should apply the mentioned change. The example has been changed accordingly and is available in the project repository.
Title Apache PDFBox Examples: Path Traversal in PDFBox ExtractEmbeddedFiles Example Code
Weaknesses CWE-22
References

Subscriptions

Apache Pdfbox Examples
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-14T19:50:07.000Z

Reserved: 2026-03-24T17:06:35.279Z

Link: CVE-2026-33929

cve-icon Vulnrichment

Updated: 2026-04-14T19:49:58.797Z

cve-icon NVD

Status : Received

Published: 2026-04-14T09:16:36.297

Modified: 2026-04-14T20:16:47.240

Link: CVE-2026-33929

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:30:43Z

Weaknesses