Description
PdfDing is a selfhosted PDF manager, viewer and editor offering a seamless user experience on multiple devices. Prior to version 1.7.1, check_shared_access_allowed() validates only session existence — it does not check SharedPdf.inactive (expiration / max views) or SharedPdf.deleted. The Serve and Download endpoints rely solely on this function, allowing previously-authorized users to access shared PDF content after expiration, view limit, or soft-deletion. This issue has been patched in version 1.7.1.
Published: 2026-03-31
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to shared PDFs after expiration or deletion
Action: Apply Patch
AI Analysis

Impact

The flaw resides in the function that checks whether a user may access a shared PDF. It verifies only that a session exists, neglecting to verify whether the shared PDF has expired, reached its maximum view count, or has been softly deleted. Because of this oversight the system will continue to grant access through the Serve and Download endpoints to any previously authorized user, even after the PDF should no longer be reachable. This fails proper authorization enforcement and can lead to accidental disclosure of content that was intended to be removed.

Affected Systems

The affected software is PdfDing, a self‑hosted PDF manager developed by mrmn2. Any installation running a version earlier than 1.7.1 is vulnerable, as those releases lack the necessary checks for inactive, exhausted, or deleted shared PDFs.

Risk and Exploitability

The base CVSS score of 6.5 indicates a moderate severity vulnerability, while the EPSS score of less than 1% suggests that the likelihood of exploitation in the wild is low. The flaw has not been recorded in the CISA Known Exploited Vulnerabilities list. Attackers can exploit the vulnerability simply by using a valid session to hit the Serve or Download endpoints for a PDF that has expired, exceeded its view limits, or has been marked as deleted. No elevated privileges are required, and the exploitation path is straightforward once the endpoint is reachable.

Generated by OpenCVE AI on April 13, 2026 at 19:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PdfDing to version 1.7.1 or later to apply the fix that adds proper expiration, maximum view, and deletion checks.
  • Verify that Serve and Download endpoints are only reachable from trusted networks or behind authentication to reduce inadvertent exposure.
  • Monitor access logs for repeated access attempts to shared PDFs that should no longer be available and adjust firewall or ACL rules if necessary.

Generated by OpenCVE AI on April 13, 2026 at 19:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Pdfding
Pdfding pdfding
CPEs cpe:2.3:a:pdfding:pdfding:*:*:*:*:*:*:*:*
Vendors & Products Pdfding
Pdfding pdfding

Fri, 03 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Mrmn2
Mrmn2 pdfding
Vendors & Products Mrmn2
Mrmn2 pdfding

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description PdfDing is a selfhosted PDF manager, viewer and editor offering a seamless user experience on multiple devices. Prior to version 1.7.1, check_shared_access_allowed() validates only session existence — it does not check SharedPdf.inactive (expiration / max views) or SharedPdf.deleted. The Serve and Download endpoints rely solely on this function, allowing previously-authorized users to access shared PDF content after expiration, view limit, or soft-deletion. This issue has been patched in version 1.7.1.
Title PdfDing: Shared PDF Expiration, Max Views, and Deletion Bypass via Serve/Download Endpoints
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Mrmn2 Pdfding
Pdfding Pdfding
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T16:26:07.467Z

Reserved: 2026-03-30T16:56:30.999Z

Link: CVE-2026-34586

cve-icon Vulnrichment

Updated: 2026-04-03T16:26:03.588Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T21:16:31.123

Modified: 2026-04-13T16:53:41.963

Link: CVE-2026-34586

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:42:16Z

Weaknesses