CVE-2026-44017: Docling simplifies document processing by parsing diverse formats and providing integrations with the generative AI ecos
Summary
Docling is a tool that processes documents in different formats and connects with AI systems. Before version 2.91.0, it had a security flaw where it downloaded AI models (EasyOCR) and extracted compressed files (ZIP archives) without checking if the file paths were safe, allowing a Zip Slip attack (a technique where specially crafted archive files extract to unintended locations). If an attacker could intercept or compromise the model download, they could write malicious files anywhere on the system, potentially taking complete control of it.
Solution / Mitigation
Update to Docling version 2.91.0 or later. The vulnerability is fixed in 2.91.0.
Vulnerability Details
7.5(high)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
network
high
none
required
June 24, 2026
Classification
Taxonomy References
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-44017
First tracked: June 25, 2026 at 08:22 AM
Classified by LLM (prompt v3) · confidence: 95%