CVE-2026-34376— PdfDing: Password-protected share bypass via direct serve endpoint

PdfDing: Password-protected share bypass via direct serve endpoint

PdfDing is a selfhosted PDF manager, viewer and editor offering a seamless user experience on multiple devices. Prior to version 1.7.0, an access-control vulnerability allows unauthenticated users to retrieve password-protected shared PDFs by directly calling the file-serving endpoint without completing the password verification flow. This results in unauthorized access to confidential documents that users expected to be protected by a shared-link password. This issue has been patched in version 1.7.0.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

授权机制不正确

PdfDing 安全漏洞

PdfDing是mrmn个人开发者的一个自托管的PDF管理、查看和编辑工具。 PdfDing 1.7.0之前版本存在安全漏洞，该漏洞源于存在访问控制漏洞，未经验证的用户可通过直接调用文件服务端点绕过密码验证流程，检索受密码保护的共享PDF，可能导致未经授权访问机密文档。

N/A

N/A