{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34586", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T16:56:30.999Z", "datePublished": "2026-03-31T20:27:50.597Z", "dateUpdated": "2026-04-03T16:26:07.467Z"}, "containers": {"cna": {"title": "PdfDing: Shared PDF Expiration, Max Views, and Deletion Bypass via Serve/Download Endpoints", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/mrmn2/PdfDing/security/advisories/GHSA-vfqx-2464-38wf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mrmn2/PdfDing/security/advisories/GHSA-vfqx-2464-38wf"}, {"name": "https://github.com/mrmn2/PdfDing/commit/a6783b259b25c839c52c6f2380333827a52e89eb", "tags": ["x_refsource_MISC"], "url": "https://github.com/mrmn2/PdfDing/commit/a6783b259b25c839c52c6f2380333827a52e89eb"}, {"name": "https://github.com/mrmn2/PdfDing/releases/tag/v1.7.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/mrmn2/PdfDing/releases/tag/v1.7.1"}], "affected": [{"vendor": "mrmn2", "product": "PdfDing", "versions": [{"version": "< 1.7.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T20:27:50.597Z"}, "descriptions": [{"lang": "en", "value": "PdfDing is a selfhosted PDF manager, viewer and editor offering a seamless user experience on multiple devices. Prior to version 1.7.1, check_shared_access_allowed() validates only session existence \u2014 it does not check SharedPdf.inactive (expiration / max views) or SharedPdf.deleted. The Serve and Download endpoints rely solely on this function, allowing previously-authorized users to access shared PDF content after expiration, view limit, or soft-deletion. This issue has been patched in version 1.7.1."}], "source": {"advisory": "GHSA-vfqx-2464-38wf", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T16:25:55.007553Z", "id": "CVE-2026-34586", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T16:26:07.467Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34586", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T16:25:55.007553Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T16:26:03.588Z"}}], "cna": {"title": "PdfDing: Shared PDF Expiration, Max Views, and Deletion Bypass via Serve/Download Endpoints", "source": {"advisory": "GHSA-vfqx-2464-38wf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "mrmn2", "product": "PdfDing", "versions": [{"status": "affected", "version": "< 1.7.1"}]}], "references": [{"url": "https://github.com/mrmn2/PdfDing/security/advisories/GHSA-vfqx-2464-38wf", "name": "https://github.com/mrmn2/PdfDing/security/advisories/GHSA-vfqx-2464-38wf", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/mrmn2/PdfDing/commit/a6783b259b25c839c52c6f2380333827a52e89eb", "name": "https://github.com/mrmn2/PdfDing/commit/a6783b259b25c839c52c6f2380333827a52e89eb", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/mrmn2/PdfDing/releases/tag/v1.7.1", "name": "https://github.com/mrmn2/PdfDing/releases/tag/v1.7.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "PdfDing is a selfhosted PDF manager, viewer and editor offering a seamless user experience on multiple devices. Prior to version 1.7.1, check_shared_access_allowed() validates only session existence \u2014 it does not check SharedPdf.inactive (expiration / max views) or SharedPdf.deleted. The Serve and Download endpoints rely solely on this function, allowing previously-authorized users to access shared PDF content after expiration, view limit, or soft-deletion. This issue has been patched in version 1.7.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T20:27:50.597Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34586", "state": "PUBLISHED", "dateUpdated": "2026-04-03T16:26:07.467Z", "dateReserved": "2026-03-30T16:56:30.999Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T20:27:50.597Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pdfding:pdfding:*:*:*:*:*:*:*:*", "matchCriteriaId": "FBD640DD-0D1C-47AE-91D8-20DDD2A1DC09", "versionEndExcluding": "1.7.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "PdfDing is a selfhosted PDF manager, viewer and editor offering a seamless user experience on multiple devices. Prior to version 1.7.1, check_shared_access_allowed() validates only session existence \u2014 it does not check SharedPdf.inactive (expiration / max views) or SharedPdf.deleted. The Serve and Download endpoints rely solely on this function, allowing previously-authorized users to access shared PDF content after expiration, view limit, or soft-deletion. This issue has been patched in version 1.7.1."}], "id": "CVE-2026-34586", "lastModified": "2026-04-13T16:53:41.963", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T21:16:31.123", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/mrmn2/PdfDing/commit/a6783b259b25c839c52c6f2380333827a52e89eb"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/mrmn2/PdfDing/releases/tag/v1.7.1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/mrmn2/PdfDing/security/advisories/GHSA-vfqx-2464-38wf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.7.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "PdfDing", "source": "cna", "vendor": "mrmn2"}, "product": "pdfding", "vendor": "mrmn2"}], "analysis": {"en": {"generated_at": "2026-04-13T19:11:11.884339+00:00", "value": {"mitigation_remediation": ["Upgrade PdfDing to version 1.7.1 or later to apply the fix that adds proper expiration, maximum view, and deletion checks.", "Verify that Serve and Download endpoints are only reachable from trusted networks or behind authentication to reduce inadvertent exposure.", "Monitor access logs for repeated access attempts to shared PDFs that should no longer be available and adjust firewall or ACL rules if necessary."], "summary": {"action": "Apply Patch", "impact": "Unauthorized access to shared PDFs after expiration or deletion"}, "threat_synthesis": {"affected_systems": "The affected software is PdfDing, a self\u2011hosted PDF manager developed by mrmn2. Any installation running a version earlier than 1.7.1 is vulnerable, as those releases lack the necessary checks for inactive, exhausted, or deleted shared PDFs.", "description_and_impact": "The flaw resides in the function that checks whether a user may access a shared PDF. It verifies only that a session exists, neglecting to verify whether the shared PDF has expired, reached its maximum view count, or has been softly deleted. Because of this oversight the system will continue to grant access through the Serve and Download endpoints to any previously authorized user, even after the PDF should no longer be reachable. This fails proper authorization enforcement and can lead to accidental disclosure of content that was intended to be removed.", "risk_and_exploitability": "The base CVSS score of 6.5 indicates a moderate severity vulnerability, while the EPSS score of less than 1% suggests that the likelihood of exploitation in the wild is low. The flaw has not been recorded in the CISA Known Exploited Vulnerabilities list. Attackers can exploit the vulnerability simply by using a valid session to hit the Serve or Download endpoints for a PDF that has expired, exceeded its view limits, or has been marked as deleted. No elevated privileges are required, and the exploitation path is straightforward once the endpoint is reachable."}}}}, "created": "2026-04-02T07:52:52.395806+00:00", "updated": "2026-04-14T16:42:16.096168+00:00", "vendors": ["mrmn2", "mrmn2$PRODUCT$pdfding"]}