Description
PdfDing is a selfhosted PDF manager, viewer and editor offering a seamless user experience on multiple devices. Prior to version 1.7.0, an access-control vulnerability allows unauthenticated users to retrieve password-protected shared PDFs by directly calling the file-serving endpoint without completing the password verification flow. This results in unauthorized access to confidential documents that users expected to be protected by a shared-link password. This issue has been patched in version 1.7.0.
Published: 2026-04-01
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to confidential PDF documents
Action: Apply patch
AI Analysis

Impact

PdfDing, a self-hosted PDF manager, has an access‑control flaw (CWE‑863) that lets an unauthenticated user retrieve password‑protected shared PDFs by calling the file‑serving endpoint directly. Because the password verification step is bypassed, the attacker can view confidential documents that were intended to be protected. The vulnerability permits unauthorized access to sensitive information.

Affected Systems

The flaw affects installations of PdfDing from the vendor mrmn2. Any deployment running a version older than 1.7.0 is vulnerable. The issue was fixed in version 1.7.0 and later releases.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity. The EPSS score is below 1 %, suggesting low current exploitation likelihood. The vulnerability is not listed in CISA’s KEV catalog. An attacker can exploit it by sending an unauthenticated HTTP request to the file‑serving endpoint, triggering the return of the protected PDF without a password prompt.

Generated by OpenCVE AI on April 7, 2026 at 22:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PdfDing to version 1.7.0 or later.
  • If an upgrade is not immediately possible, restrict access to the file‑serving endpoint or remove the capability to serve files without authentication.

Generated by OpenCVE AI on April 7, 2026 at 22:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Pdfding
Pdfding pdfding
CPEs cpe:2.3:a:pdfding:pdfding:*:*:*:*:*:*:*:*
Vendors & Products Pdfding
Pdfding pdfding

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Mrmn2
Mrmn2 pdfding
Vendors & Products Mrmn2
Mrmn2 pdfding

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description PdfDing is a selfhosted PDF manager, viewer and editor offering a seamless user experience on multiple devices. Prior to version 1.7.0, an access-control vulnerability allows unauthenticated users to retrieve password-protected shared PDFs by directly calling the file-serving endpoint without completing the password verification flow. This results in unauthorized access to confidential documents that users expected to be protected by a shared-link password. This issue has been patched in version 1.7.0.
Title PdfDing: Password-protected share bypass via direct serve endpoint
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Mrmn2 Pdfding
Pdfding Pdfding
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T18:53:12.317Z

Reserved: 2026-03-27T13:43:14.370Z

Link: CVE-2026-34376

cve-icon Vulnrichment

Updated: 2026-04-01T18:53:06.820Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T18:16:30.177

Modified: 2026-04-07T20:16:13.720

Link: CVE-2026-34376

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:57:02Z

Weaknesses