Description
Docling-Graph turns documents into validated Pydantic objects, then builds a directed knowledge graph with explicit semantic relationships. Prior to 1.5.1, the URLInputHandler class in docling_graph/core/input/handlers.py makes HTTP requests to user-supplied URLs without validating whether the target resolves to a private, loopback, or link-local IP address. The URLValidator only checks for a valid scheme and non-empty netloc, performing no IP-level validation. Additionally, requests.head() was called with allow_redirects=True, allowing an attacker to redirect requests to internal endpoints via an intermediary URL. An attacker who can control the --source CLI argument or PipelineConfig.source API parameter can trigger Server-Side Request Forgery (SSRF). This vulnerability is fixed in 1.5.1.
Published: 2026-05-14
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Docling‑Graph builds a directed knowledge graph by turning document data into validated Pydantic objects, which are processed by the URLInputHandler class. Prior to version 1.5.1 the handler makes HTTP requests to URLs supplied by the user without validating whether they resolve to private, loopback, or link‑local addresses, and it performs an unconditional HEAD request with redirects enabled. This omission permits an attacker to supply a URL that resolves to an internal service or an external intermediary that redirects to an internal endpoint, thereby exfiltrating data or causing a denial of service. The vulnerability is rooted in improper input validation of network addresses (CWE‑601) and the failure to restrict outbound requests (CWE‑918).

Affected Systems

The fault exists in the docling‑project/docling‑graph Python package. All deployments using versions earlier than 1.5.1 are susceptible. The vulnerability is triggered through the CLI argument --source or the PipelineConfig.source API parameter, which is part of the public interface of the library.

Risk and Exploitability

The CVSS score of 5.7 indicates a moderate severity flaw. The EPSS score is unavailable, and the flaw is not listed in CISA’s KEV catalog, suggesting that publicly available exploit code may not have appeared. Nonetheless, an attacker with the ability to supply the source URL can practically perform an SSRF to internal resources, provided network segmentation is not enforced externally. The attack vector is remote and does not require privileged local access, making it easily exploitable in environments where untrusted users can influence the source parameter.

Generated by OpenCVE AI on May 14, 2026 at 18:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Docling‑Graph to version 1.5.1 or later, which includes input validation and blocks internal IPs.
  • If a patch is not immediately possible, restrict outbound traffic from the process to only trusted external endpoints and perform host or CIDR filtering to block private, loopback, and link‑local IP ranges.
  • Configure the underlying HTTP client to disallow redirects or validate that redirects do not lead to internal URLs before following them.

Generated by OpenCVE AI on May 14, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fqph-j6v6-jvgx docling-graph has SSRF via Missing Internal IP Validation in URLInputHandler
History

Thu, 14 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Docling-Graph turns documents into validated Pydantic objects, then builds a directed knowledge graph with explicit semantic relationships. Prior to 1.5.1, the URLInputHandler class in docling_graph/core/input/handlers.py makes HTTP requests to user-supplied URLs without validating whether the target resolves to a private, loopback, or link-local IP address. The URLValidator only checks for a valid scheme and non-empty netloc, performing no IP-level validation. Additionally, requests.head() was called with allow_redirects=True, allowing an attacker to redirect requests to internal endpoints via an intermediary URL. An attacker who can control the --source CLI argument or PipelineConfig.source API parameter can trigger Server-Side Request Forgery (SSRF). This vulnerability is fixed in 1.5.1.
Title Docling-Graph: SSRF via Missing Internal IP Validation in URLInputHandler
Weaknesses CWE-601
CWE-918
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T18:08:05.223Z

Reserved: 2026-05-06T19:38:10.565Z

Link: CVE-2026-44520

cve-icon Vulnrichment

Updated: 2026-05-14T18:05:50.327Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T18:16:50.010

Modified: 2026-05-14T18:27:25.110

Link: CVE-2026-44520

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T18:30:26Z

Weaknesses