CVE-2026-24009
📋 TL;DR
This vulnerability allows remote code execution through malicious YAML input in docling-core library versions 2.21.0 to 2.48.3. Attackers can execute arbitrary code on systems that process untrusted YAML data using the vulnerable load_from_yaml() method. Only applications using PyYAML versions below 5.4 are affected.
💻 Affected Systems
- docling-core
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands, steal data, install malware, or pivot to other systems.
Likely Case
Limited code execution within application context, potentially leading to data exfiltration or further privilege escalation.
If Mitigated
No code execution possible; YAML parsing fails safely with proper input validation and updated libraries.
🎯 Exploit Status
Exploitation requires sending malicious YAML payload to vulnerable endpoint. Similar PyYAML RCE exploits are publicly documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.48.4
Vendor Advisory: https://github.com/docling-project/docling-core/security/advisories/GHSA-vqxf-v2gg-x3hc
Restart Required: Yes
Instructions:
1. Upgrade docling-core to version 2.48.4 or later using pip install --upgrade docling-core==2.48.4
2. Restart all applications using docling-core
3. Verify PyYAML version is 5.4 or higher with pip show pyyaml
🔧 Temporary Workarounds
Upgrade PyYAML
allUpgrade PyYAML to version 5.4 or higher which includes SafeLoader by default
pip install --upgrade pyyaml>=5.4
Input Validation
allImplement strict input validation to reject untrusted YAML data before processing
🧯 If You Can't Patch
- Disable YAML processing functionality that accepts external input
- Implement network segmentation to isolate vulnerable systems from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check docling-core version with pip show docling-core and PyYAML version with pip show pyyaml. Vulnerable if docling-core >=2.21.0 and <2.48.4 AND pyyaml <5.4.Check Version:
pip show docling-core | grep Version && pip show pyyaml | grep VersionVerify Fix Applied:
Verify docling-core >=2.48.4 and pyyaml >=5.4 using pip show commands. Test with known malicious YAML payload to confirm safe rejection.📡 Detection & Monitoring
Log Indicators:
- Unusual process spawns from Python applications
- YAML parsing errors with suspicious content
- Unexpected system commands executed
Network Indicators:
- Large or malformed YAML payloads to document processing endpoints
- Unusual outbound connections from application servers
SIEM Query:
source="application.logs" AND ("load_from_yaml" OR "yaml.load") AND (process_spawn OR command_execution)🔗 References
- https://github.com/advisories/GHSA-8q59-q68h-6hv4
- https://github.com/docling-project/docling-core/commit/3e8d628eeeae50f0f8f239c8c7fea773d065d80c
- https://github.com/docling-project/docling-core/issues/482
- https://github.com/docling-project/docling-core/releases/tag/v2.48.4
- https://github.com/docling-project/docling-core/security/advisories/GHSA-vqxf-v2gg-x3hc
