{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34586", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T16:56:30.999Z", "datePublished": "2026-03-31T20:27:50.597Z", "dateUpdated": "2026-03-31T20:27:50.597Z"}, "containers": {"cna": {"title": "PdfDing: Shared PDF Expiration, Max Views, and Deletion Bypass via Serve/Download Endpoints", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/mrmn2/PdfDing/security/advisories/GHSA-vfqx-2464-38wf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mrmn2/PdfDing/security/advisories/GHSA-vfqx-2464-38wf"}, {"name": "https://github.com/mrmn2/PdfDing/commit/a6783b259b25c839c52c6f2380333827a52e89eb", "tags": ["x_refsource_MISC"], "url": "https://github.com/mrmn2/PdfDing/commit/a6783b259b25c839c52c6f2380333827a52e89eb"}, {"name": "https://github.com/mrmn2/PdfDing/releases/tag/v1.7.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/mrmn2/PdfDing/releases/tag/v1.7.1"}], "affected": [{"vendor": "mrmn2", "product": "PdfDing", "versions": [{"version": "< 1.7.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T20:27:50.597Z"}, "descriptions": [{"lang": "en", "value": "PdfDing is a selfhosted PDF manager, viewer and editor offering a seamless user experience on multiple devices. Prior to version 1.7.1, check_shared_access_allowed() validates only session existence \u2014 it does not check SharedPdf.inactive (expiration / max views) or SharedPdf.deleted. The Serve and Download endpoints rely solely on this function, allowing previously-authorized users to access shared PDF content after expiration, view limit, or soft-deletion. This issue has been patched in version 1.7.1."}], "source": {"advisory": "GHSA-vfqx-2464-38wf", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "PdfDing is a selfhosted PDF manager, viewer and editor offering a seamless user experience on multiple devices. Prior to version 1.7.1, check_shared_access_allowed() validates only session existence \u2014 it does not check SharedPdf.inactive (expiration / max views) or SharedPdf.deleted. The Serve and Download endpoints rely solely on this function, allowing previously-authorized users to access shared PDF content after expiration, view limit, or soft-deletion. This issue has been patched in version 1.7.1."}], "id": "CVE-2026-34586", "lastModified": "2026-04-01T14:23:37.727", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T21:16:31.123", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/mrmn2/PdfDing/commit/a6783b259b25c839c52c6f2380333827a52e89eb"}, {"source": "security-advisories@github.com", "url": "https://github.com/mrmn2/PdfDing/releases/tag/v1.7.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/mrmn2/PdfDing/security/advisories/GHSA-vfqx-2464-38wf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.7.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "PdfDing", "source": "cna", "vendor": "mrmn2"}, "product": "pdfding", "vendor": "mrmn2"}], "analysis": {"en": {"generated_at": "2026-04-01T07:06:47.492036+00:00", "value": {"mitigation_remediation": ["Upgrade PdfDing to version\u202f1.7.1 or later to apply the official fix.", "Verify that accessed PDFs that have expired, reached the maximum view limit, or have been soft\u2011deleted are no longer reachable through the Serve or Download endpoints.", "Review server logs for unexpected Serve/Download activity that bypasses document-state checks.", "Ensure session cookies are invalidated after logout or timeout to reduce the window of access.", "Keep the application up to date and monitor the vendor\u2019s advisory channel for future updates."], "summary": {"action": "Update Software", "impact": "Unauthorized Access to Expired or Deleted Shared PDFs"}, "threat_synthesis": {"affected_systems": "Any self\u2011hosted deployment of PdfDing running a version earlier than 1.7.1 is affected. The product, developed by mrmn2, is commonly used as a PDF manager, viewer, and editor on multiple devices. The advisory lists v1.7.1 and later as the fixed release, so updating to that or a newer version removes the vulnerability.", "description_and_impact": "PdfDing contains an access\u2011control flaw in its shared\u2011PDF feature. The function check_shared_access_allowed() only verifies that a user session exists and does not verify the expiration date, maximum view count, or soft\u2011deletion status of a SharedPdf record. The Serve and Download endpoints rely solely on that function, allowing users who previously had authorized access to retrieve the PDF even after it has expired, exceeded its view limit, or was marked deleted. This flaw, identified as CWE\u2011863, permits unauthorized access to documents that were intended to be removed, raising confidentiality risks.", "risk_and_exploitability": "The CVSS base score is 6.5, indicating moderate severity. EPSS information is not available and the flaw is not listed in the CISA KEV catalog, suggesting it may not yet be exploited in the wild. Based on the description, the attack vector is an authenticated session that has previously been granted access to the shared PDF. An attacker only needs a valid share URL and a session cookie that passes the simple session existence check; no additional privileges or exploitation of other components are required. Because the system does not verify the document\u2019s status, the attacker can repeatedly download the same PDF after expiration or soft\u2011deletion, potentially exposing sensitive information to unauthorized users."}}}}, "created": "2026-04-02T07:52:52.395806+00:00", "updated": "2026-04-02T20:10:50.303380+00:00", "vendors": ["mrmn2", "mrmn2$PRODUCT$pdfding"]}