CVE-2026-34376
Published: 01 April 2026
Summary
CVE-2026-34376 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Pdfding Pdfding. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates enforcement of approved authorizations for access to system resources, directly preventing bypass of password verification when serving protected PDFs via direct endpoint calls.
Requires the system to make and enforce correct access control decisions for resources like confidential PDFs, addressing the incorrect authorization that allowed unauthenticated access.
Requires identification and authentication of non-organizational users accessing shared links, countering the unauthenticated retrieval of password-protected documents.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass in public-facing web app enables unauthenticated retrieval of protected files via direct endpoint access, directly mapping to T1190: Exploit Public-Facing Application.
NVD Description
PdfDing is a selfhosted PDF manager, viewer and editor offering a seamless user experience on multiple devices. Prior to version 1.7.0, an access-control vulnerability allows unauthenticated users to retrieve password-protected shared PDFs by directly calling the file-serving endpoint without completing…
more
the password verification flow. This results in unauthorized access to confidential documents that users expected to be protected by a shared-link password. This issue has been patched in version 1.7.0.
Deeper analysisAI
CVE-2026-34376 is an access-control vulnerability (CWE-863: Incorrect Authorization) in PdfDing, a self-hosted PDF manager, viewer, and editor. In versions prior to 1.7.0, the issue enables unauthenticated users to retrieve password-protected shared PDFs by directly calling the file-serving endpoint, bypassing the password verification flow. This exposes confidential documents that users intended to protect via shared-link passwords. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with low complexity and no privileges required.
Unauthenticated attackers with network access to a vulnerable PdfDing instance can exploit this flaw. By obtaining a shared link and directly requesting the associated PDF file from the serving endpoint, they bypass authentication entirely, achieving unauthorized read access to sensitive documents without needing user interaction or special privileges.
The vulnerability has been patched in PdfDing version 1.7.0. Administrators should upgrade to this version or later to mitigate the issue. Official resources include the GitHub security advisory (GHSA-42x7-vvj4-4cj3), the patching commit (ae579ea98c5603d1435e0d90e81d72151564088a), pull request #294, and release notes for v1.7.0.
Details
- CWE(s)