Cyber Resilience

CVE-2026-34376

High

Published: 01 April 2026

Published
01 April 2026
Modified
07 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0002 6.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34376 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Pdfding Pdfding. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-34376 is an access-control vulnerability (CWE-863: Incorrect Authorization) in PdfDing, a self-hosted PDF manager, viewer, and editor. In versions prior to 1.7.0, the issue enables unauthenticated users to retrieve password-protected shared PDFs by directly calling the file-serving endpoint, bypassing the password verification flow. This exposes confidential documents that users intended to protect via shared-link passwords. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with low complexity and no privileges required.

Unauthenticated attackers with network access to a vulnerable PdfDing instance can exploit this flaw. By obtaining a shared link and directly requesting the associated PDF file from the serving endpoint, they bypass authentication entirely, achieving unauthorized read access to sensitive documents without needing user interaction or special privileges.

The vulnerability has been patched in PdfDing version 1.7.0. Administrators should upgrade to this version or later to mitigate the issue. Official resources include the GitHub security advisory (GHSA-42x7-vvj4-4cj3), the patching commit (ae579ea98c5603d1435e0d90e81d72151564088a), pull request #294, and release notes for v1.7.0.

EU & UK References

Vulnerability details

PdfDing is a selfhosted PDF manager, viewer and editor offering a seamless user experience on multiple devices. Prior to version 1.7.0, an access-control vulnerability allows unauthenticated users to retrieve password-protected shared PDFs by directly calling the file-serving endpoint without completing…

more

the password verification flow. This results in unauthorized access to confidential documents that users expected to be protected by a shared-link password. This issue has been patched in version 1.7.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Authorization bypass in public-facing web app enables unauthenticated retrieval of protected files via direct endpoint access, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-21565Shared CWE-863
CVE-2026-46823Shared CWE-863
CVE-2026-44260Shared CWE-863
CVE-2024-13277Shared CWE-863
CVE-2025-30743Shared CWE-863
CVE-2026-30947Shared CWE-863
CVE-2026-34453Shared CWE-863
CVE-2025-54253Shared CWE-863
CVE-2026-34646Shared CWE-863
CVE-2025-10611Shared CWE-863

Affected Assets

pdfding
pdfding
≤ 1.7.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates enforcement of approved authorizations for access to system resources, directly preventing bypass of password verification when serving protected PDFs via direct endpoint calls.

prevent

Requires the system to make and enforce correct access control decisions for resources like confidential PDFs, addressing the incorrect authorization that allowed unauthenticated access.

prevent

Requires identification and authentication of non-organizational users accessing shared links, countering the unauthenticated retrieval of password-protected documents.

References