docling-graph has SSRF via Missing Internal IP Validation in URLInputHandler — CVE-2026-44520
GHSA · GitHub · CVE-2026-44520
ID
CVE-2026-44520
CVE-2026-44520
Date
Updated
Activity
Source
GHSA
GHSA
Vendor
GitHub
GitHub
Threat
medium
medium
CVSS
5.7
5.7
Summary
### Impact The `URLInputHandler` class in `docling_graph/core/input/handlers.py` makes HTTP requests to user-supplied URLs without validating whether the target resolves to a private, loopback, or link-local IP address. The `URLValidator` only checks for a valid scheme and non-empty `netloc`, performing no IP-level validation. Additionally, `requests.head()` was called with `allow_redirects=True`, allowing an…
Product
pip: docling-graph
What to do
General, cautious steps (verify details in the official source):
- Review exposure and plan remediation based on risk and environment.
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.