NIXPKGS-2026-0941
GitHub issue
published on
Permalink
CVE-2026-34376
7.5 HIGH
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): NONE
- Availability impact (A): NONE
by @LeSuisse Activity log
- Created automatic suggestion
- @LeSuisse accepted
- @LeSuisse published on GitHub
PdfDing: Password-protected share bypass via direct serve endpoint
PdfDing is a selfhosted PDF manager, viewer and editor offering a seamless user experience on multiple devices. Prior to version 1.7.0, an access-control vulnerability allows unauthenticated users to retrieve password-protected shared PDFs by directly calling the file-serving endpoint without completing the password verification flow. This results in unauthorized access to confidential documents that users expected to be protected by a shared-link password. This issue has been patched in version 1.7.0.
References
-
https://github.com/mrmn2/PdfDing/security/advisories/GHSA-42x7-vvj4-4cj3 x_refsource_CONFIRM
-
https://github.com/mrmn2/PdfDing/pull/294 x_refsource_MISC
-
https://github.com/mrmn2/PdfDing/releases/tag/v1.7.0 x_refsource_MISC
Affected products
PdfDing
- ==< 1.7.0
Package maintainers
-
@ethancedwards8 Ethan Carter Edwards <ethan@ethancedwards.com>
-
@Prince213 Sizhe Zhao <prc.zhao@outlook.com>
-
@wegank Weijia Wang <contact@weijia.wang>
-
@phanirithvij Phani Rithvij <phanirithvij2000@gmail.com>
-
@eljamm Fedi Jamoussi <fedi.jamoussi@protonmail.ch>