CVE-2026-47214 - Docling HTML backend URI and path handling

Docling’s HTML backend did not apply enough validation around local paths, remote URLs, redirects, and resource sizes while resolving resources embedded in HTML documents. In a document-ingestion, RAG, support-upload, or agent knowledge-base pipeline, untrusted HTML can cross from “parse this document” to “fetch this internal URL” or “read this local path” unless the runtime and fetch options are locked down.

The fix is not only a dependency bump. A reviewer-ready PR should also prove that untrusted HTML conversion keeps enable_local_fetch and enable_remote_fetch disabled unless a narrow, owned allow-list and base path are present. Related June 2026 Docling advisories cover the same ingestion boundary: unsafe Playwright rendering and unsafe remote filename resolution in docling-core.

When to use it

Use this recipe when a repository, document-ingestion service, RAG pipeline, or agent knowledge-base workflow converts untrusted HTML with Docling. It supports source-code remediation, SSRF/path containment, resource-fetch policy review, and audit evidence that HTML conversion cannot read local files or fetch internal network resources.

Inputs

  • Docling version, HTML backend configuration, enable_local_fetch and remote fetch policy, redirect handling, resource-size limits, and deployment egress.
  • Source paths that call Docling conversion, accept uploaded HTML, resolve embedded resources, fetch URLs, read local paths, or serialize conversion logs.
  • Regression fixtures for file://, local paths, localhost/private IPs, redirects, large resources, valid public assets, and expected block behavior.
  • Boundary evidence: document sources, network egress policy, temp storage, credentials, logs, customer data classification, and ingestion owner.

Affected versions

Package Vulnerable versions Fixed versions
docling < 2.94.0 for the HTML backend URI/path issue 2.94.0+
docling >=2.82.0, <2.91.0 for related Playwright HTML rendering exposure 2.91.0+
docling-core >=1.5.0, <2.74.1 for related remote filename/path handling 2.74.1+

Indicator-of-exposure

  • The repository resolves docling <2.94.0 or docling-core <2.74.1.
  • The application accepts user-supplied HTML, URLs, uploaded documents, archived documents, support attachments, email bodies, knowledge-base pages, model-generated documents, or tenant-provided content for Docling conversion.
  • HTML conversion enables local or remote resource fetching, explicitly or via wrapper defaults.
  • HTML conversion enables Playwright rendering for untrusted documents.
  • The converter runs with access to metadata services, internal services, mounted secrets, tenant files, build credentials, or shared cache directories.

Quick checks:

rg -n "docling|DocumentConverter|InputFormat\\.HTML|HTMLFormatOption|enable_local_fetch|enable_remote_fetch|render_page|base_path|docling_core|docling-core|download|Content-Disposition" .
python -m pip show docling docling-core
python -m pip freeze | rg "^(docling|docling-core)=="
pipdeptree -p docling,docling-core

Remediation strategy

  • Upgrade docling to 2.94.0+ and docling-core to 2.74.1+.
  • Regenerate lockfiles, constraints, SBOMs, images, deployment artifacts, and scanner evidence.
  • Keep enable_local_fetch=False and enable_remote_fetch=False for untrusted HTML. If a product requires either option, add explicit owner approval, base-path containment, URL scheme checks, private-IP blocking, redirect validation, response-size limits, and egress allow-lists.
  • Disable render_page=True for untrusted HTML unless the render environment is isolated, offline when remote fetch is disabled, and unable to reach secrets or internal networks.
  • Add regression tests around the repository’s actual conversion wrapper, not only direct library calls.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-47214 / GHSA-q29v-xc37-wh5m, a Docling HTML
backend URI and path-handling issue. Also account for the same ingestion
boundary covered by CVE-2026-44016 and CVE-2026-44023 when those packages are
resolved. Produce exactly one output:

- A reviewer-ready PR/change request that upgrades Docling, locks down
  untrusted document conversion, adds safe SSRF/path-containment regression
  tests, refreshes generated artifacts, and documents operator actions, or
- TRIAGE.md if this repository does not control an affected Docling-based
  document-ingestion path.

## Rules

- Scope only CVE-2026-47214, related Docling HTML/resource-fetch advisories,
  and directly related document-conversion wrappers.
- Do not send test requests to real internal services, metadata endpoints,
  production URLs, customer documents, or privileged tenant content.
- Do not log document contents, signed URLs, cookies, bearer tokens, API keys,
  tenant IDs, or converted output that may contain secrets.
- Do not enable local or remote fetch for untrusted HTML to make a conversion
  test pass.
- Do not auto-merge.

## Steps

1. Inventory every Docling use across manifests, lockfiles, constraints,
   Docker images, notebooks, worker services, ingestion APIs, CLI wrappers,
   SBOMs, and generated dependency reports.
2. Determine resolved versions for `docling` and `docling-core`. A target is
   affected if it resolves `docling <2.94.0`, `docling >=2.82.0, <2.91.0` with
   Playwright HTML rendering, or `docling-core >=1.5.0, <2.74.1`.
3. Trace every path that passes untrusted or mixed-trust documents, HTML, URLs,
   archives, email bodies, support uploads, knowledge-base pages, or
   model-produced content into Docling.
4. Identify conversion options and wrapper defaults for HTML:
   `enable_local_fetch`, `enable_remote_fetch`, `render_page`, `base_path`,
   remote download, redirects, cache location, and resource-size handling.
5. If the repository does not control an affected document-ingestion path, stop
   with `TRIAGE.md` listing checked files, resolved versions, and why exposure
   is absent.
6. Upgrade `docling` to `2.94.0+` and `docling-core` to `2.74.1+`. Refresh
   lockfiles, constraints, SBOMs, images, generated dependency reports, and
   deployment artifacts.
7. Harden untrusted HTML conversion defaults:
   - keep local and remote fetch disabled by default;
   - require explicit owner-approved allow-lists for remote fetch;
   - enforce base-path containment for any local fetch;
   - block `file`, loopback, link-local, private, and metadata-service
     destinations unless a documented offline fixture explicitly allows them;
   - validate redirects after each hop;
   - cap remote response size, decoded data URI size, file count, and wall time;
   - keep Playwright rendering disabled for untrusted HTML unless isolated.
8. Add safe regression tests that use inert fixture hostnames and local temp
   directories:
   - untrusted HTML does not fetch remote resources by default;
   - local fetch cannot escape the configured base path;
   - redirects are revalidated before fetching;
   - oversized or data-URI resources are rejected or bounded;
   - Playwright rendering remains disabled or offline for untrusted HTML.
9. Add a PR body section named `CVE-2026-47214 operator actions` that states:
   - Docling and docling-core versions before and after;
   - which ingestion surfaces accept untrusted documents;
   - whether local fetch, remote fetch, or Playwright rendering remains enabled;
   - which egress, cache, and size controls were added or verified;
   - which validation commands passed.
10. Run available validation: package install, unit tests, ingestion tests,
    typecheck/lint, build, container build, SBOM refresh, dependency/security
    scans, and any worker or queue integration tests in this repository.
11. Use PR title:
    `fix(sec): remediate CVE-2026-47214 in Docling ingestion`.

## Stop conditions

- No controlled package, image, notebook, or worker resolves affected Docling
  versions.
- Docling is present only in docs, examples, or offline research code that does
  not process untrusted documents.
- Safe verification would require production documents, live internal network
  probing, customer content, or privileged tenant credentials.
- The required fix belongs to a separately owned ingestion service; document
  the owner, fixed target versions, and temporary fetch restrictions.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.

Output contract

  • A reviewer-ready PR or change request that upgrades Docling, keeps local and remote fetch disabled for untrusted HTML, adds SSRF/path containment tests, and documents ingestion controls.
  • Or a TRIAGE.md file that lists inspected files, owner, observed version, ingestion boundary, fetch policy, required fix, and residual risk.
  • The output must include exact validation commands and must not fetch cloud metadata, internal services, local files, or customer documents.

Verification - what the reviewer looks for

  • No controlled lockfile, constraints file, image, SBOM, or generated dependency report resolves affected Docling versions.
  • Untrusted HTML conversion keeps local fetch, remote fetch, and Playwright rendering disabled unless a narrow owner-approved control exists.
  • Regression tests cover the repository’s actual ingestion wrapper and use inert fixtures rather than live internal targets.
  • PR notes identify every user-controlled document surface and any remaining containment.

Watch for

  • Upgrading docling while a transitive or separately pinned docling-core remains vulnerable.
  • Wrapper defaults that silently turn on remote fetch for convenience in a RAG or support-upload path.
  • Browser rendering tests that run with network access to metadata services or tenant-internal hosts.
  • Cache directories shared across tenants or jobs after remote filename handling is changed.

References