CVE-2026-34586
Received Received - Intake
Authorization Bypass in PdfDing Shared PDF Access Before

Publication date: 2026-03-31

Last updated on: 2026-04-13

Assigner: GitHub, Inc.

Description
PdfDing is a selfhosted PDF manager, viewer and editor offering a seamless user experience on multiple devices. Prior to version 1.7.1, check_shared_access_allowed() validates only session existence β€” it does not check SharedPdf.inactive (expiration / max views) or SharedPdf.deleted. The Serve and Download endpoints rely solely on this function, allowing previously-authorized users to access shared PDF content after expiration, view limit, or soft-deletion. This issue has been patched in version 1.7.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34586
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pdfding pdfding to 1.7.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in PdfDing, a self-hosted PDF manager, viewer, and editor. Before version 1.7.1, the function check_shared_access_allowed() only verified if a user session existed but did not check whether the shared PDF was inactive due to expiration, exceeded maximum views, or was soft-deleted. Because the Serve and Download endpoints rely solely on this function, users who were previously authorized could still access shared PDF content even after it should have been inaccessible due to expiration, view limits, or deletion.

Impact Analysis

This vulnerability can allow unauthorized continued access to shared PDF documents beyond their intended availability period or usage limits. Users who should no longer have access due to expiration, maximum view counts, or deletion can still view or download the content. This could lead to unintended information disclosure or data leakage.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade PdfDing to version 1.7.1 or later, where the issue has been patched.

Compliance Impact

This vulnerability allows previously-authorized users to access shared PDF content after expiration, view limit, or soft-deletion due to insufficient validation of access permissions.

Such unauthorized access to potentially sensitive documents could lead to non-compliance with data protection regulations like GDPR or HIPAA, which require strict control over access to personal or protected health information.

However, the provided information does not explicitly state the impact on compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34586. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart