Document Processing Vulnerability in Docling Affects Generative AI Integrations
CVE-2026-44017

7.5HIGH

Key Information:

Vendor: Docling-project
Status: Docling
Vendor: CVE Published:; 24 June 2026

🔔 Create Docling-project Vulnerability Alert

What is CVE-2026-44017?

Docling, a tool that streamlines document processing with diverse format parsing and integrations into the generative AI ecosystem, is affected by a vulnerability in versions prior to 2.91.0. This flaw arises from the EasyOCR model download functionality, which improperly extracts ZIP archives without proper path validation. This oversight may allow attackers to exploit the model download source through various means such as supply chain attacks or DNS spoofing. Consequently, they can potentially write files to unintended locations within the system, which could lead to severe consequences, including remote code execution through overwritten files, installation of persistent backdoors by altering startup scripts or SSH keys, and critical data corruption or system compromise. The issue has been addressed in version 2.91.0.

Affected Version(s)

docling < 2.91.0

References

https://github.com/docling-project/docling/security/advis...

x_refsource_CONFIRM

https://github.com/docling-project/docling/releases/tag/v...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 24, 2026
Vulnerability Reserved
May 4, 2026

CVE-2026-44017 Data

JSON