CVE-2026-23907

This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.35, from 3.0.0 through 3.0.6. The ExtractEmbeddedFiles example contains a path traversal vulnerability (CWE-22) because the filename that is obtained from PDComplexFileSpecification.getFilename() is appended to the extraction path. Users who have copied this example into their production code should review it to ensure that the extraction path is acceptable. The example has been changed accordingly, now the initial path and the extraction paths are converted into canonical paths and it is verified that extraction path contains the initial path. The documentation has also been adjusted.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/JoakimBulow/	Not Applicable
https://lists.apache.org/thread/gyfq5tcrxfv7rx0z2yyx4hb3h53ndffw	Mailing List Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/03/10/1	Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:pdfbox::::::::
	cpe:2.3:a:apache:pdfbox::::::::

History

No history.

Information

Published : 2026-03-10 18:18

Updated : 2026-03-13 16:45

NVD link : CVE-2026-23907

Mitre link : CVE-2026-23907

CVE.ORG link : CVE-2026-23907

JSON object : View

Products Affected

apache

pdfbox

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2026-23907", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2026-03-10T18:18:16.960", "references": [{"url": "https://github.com/JoakimBulow/", "tags": ["Not Applicable"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread/gyfq5tcrxfv7rx0z2yyx4hb3h53ndffw", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}, {"url": "http://www.openwall.com/lists/oss-security/2026/03/10/1", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "This issue affects the \nExtractEmbeddedFiles example in\u00a0Apache PDFBox: from 2.0.24 through 2.0.35, from 3.0.0 through 3.0.6.\n\n\nThe ExtractEmbeddedFiles example contains a path traversal vulnerability (CWE-22) because \nthe filename that is obtained from \nPDComplexFileSpecification.getFilename() is appended to the extraction path.\n\nUsers who have copied this example into their production code should \nreview it to ensure that the extraction path is acceptable. The example \nhas been changed accordingly, now the initial path and the extraction \npaths are converted into canonical paths and it is verified that \nextraction path contains the initial path. The documentation has also \nbeen adjusted."}, {"lang": "es", "value": "Este problema afecta al ejemplo ExtractEmbeddedFiles en Apache PDFBox: desde 2.0.24 hasta 2.0.35, desde 3.0.0 hasta 3.0.6.\n\nEl ejemplo ExtractEmbeddedFiles contiene una vulnerabilidad de salto de ruta (CWE-22) porque el nombre de archivo que se obtiene de PDComplexFileSpecification.getFilename() se a\u00f1ade a la ruta de extracci\u00f3n.\n\nLos usuarios que han copiado este ejemplo en su c\u00f3digo de producci\u00f3n deber\u00edan revisarlo para asegurarse de que la ruta de extracci\u00f3n es aceptable. El ejemplo ha sido modificado en consecuencia, ahora la ruta inicial y las rutas de extracci\u00f3n se convierten en rutas can\u00f3nicas y se verifica que la ruta de extracci\u00f3n contiene la ruta inicial. La documentaci\u00f3n tambi\u00e9n ha sido ajustada."}], "lastModified": "2026-03-13T16:45:28.490", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:pdfbox:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1C68269E-0203-4CC0-A46A-79EE0707D72B", "versionEndIncluding": "2.0.35", "versionStartIncluding": "2.0.24"}, {"criteria": "cpe:2.3:a:apache:pdfbox:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0C8FF3B3-3A97-4F50-BCDE-8EEA175F4C61", "versionEndIncluding": "3.0.7", "versionStartIncluding": "3.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}