CVE-2026-33929: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Apache Software Foundation Apache PDFBox Examples
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache PDFBox Examples. This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.36, from 3.0.0 through 3.0.7. Users are recommended to update to version 2.0.37 or 3.0.8 once available. Until then, they should apply the fix provided in GitHub PR 427. The ExtractEmbeddedFiles example contained a path traversal vulnerability (CWE-22) mentioned in CVE-2026-23907. However the change in the releases 2.0.36 and 3.0.7 is flawed because it doesn't consider the file path separator. Because of that, a user having writing rights on /home/ABC could be victim to a malicious PDF resulting in a write attempt to any path starting with /home/ABC, e.g. "/home/ABCDEF". Users who have copied this example into their production code should apply the mentioned change. The example has been changed accordingly and is available in the project repository.
AI Analysis
Technical Summary
This vulnerability (CWE-22) in Apache PDFBox Examples affects the ExtractEmbeddedFiles example, which does not correctly restrict file pathnames to a designated directory. The flawed path validation allows a malicious PDF to write files to directories that start with the allowed path prefix but are outside the intended directory (e.g., /home/ABCDEF instead of /home/ABC). The initial fix in versions 2.0.36 and 3.0.7 failed to consider file path separators, leaving the vulnerability exploitable. The project has since updated the example code to properly handle path validation. Users who have copied this example into their own code should apply the fix from GitHub PR 427 or upgrade to the fixed versions when released.
Potential Impact
A malicious PDF processed by the vulnerable ExtractEmbeddedFiles example could cause files to be written outside the intended restricted directory, potentially leading to unauthorized file writes in directories with similar path prefixes. This could result in data corruption or unauthorized modification of files in those directories if the user running the code has write permissions there. The vulnerability affects only users who have incorporated the example code into their own production environment.
Mitigation Recommendations
Users should update to Apache PDFBox version 2.0.37 or 3.0.8 once these versions are available, as they contain the corrected example code. Until then, users who have copied the ExtractEmbeddedFiles example into their own code should apply the fix provided in GitHub PR 427 to properly validate file paths and prevent path traversal. The example code in the official project repository has been corrected accordingly. No other mitigation guidance is provided or necessary.
CVE-2026-33929: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Apache Software Foundation Apache PDFBox Examples
Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache PDFBox Examples. This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.36, from 3.0.0 through 3.0.7. Users are recommended to update to version 2.0.37 or 3.0.8 once available. Until then, they should apply the fix provided in GitHub PR 427. The ExtractEmbeddedFiles example contained a path traversal vulnerability (CWE-22) mentioned in CVE-2026-23907. However the change in the releases 2.0.36 and 3.0.7 is flawed because it doesn't consider the file path separator. Because of that, a user having writing rights on /home/ABC could be victim to a malicious PDF resulting in a write attempt to any path starting with /home/ABC, e.g. "/home/ABCDEF". Users who have copied this example into their production code should apply the mentioned change. The example has been changed accordingly and is available in the project repository.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CWE-22) in Apache PDFBox Examples affects the ExtractEmbeddedFiles example, which does not correctly restrict file pathnames to a designated directory. The flawed path validation allows a malicious PDF to write files to directories that start with the allowed path prefix but are outside the intended directory (e.g., /home/ABCDEF instead of /home/ABC). The initial fix in versions 2.0.36 and 3.0.7 failed to consider file path separators, leaving the vulnerability exploitable. The project has since updated the example code to properly handle path validation. Users who have copied this example into their own code should apply the fix from GitHub PR 427 or upgrade to the fixed versions when released.
Potential Impact
A malicious PDF processed by the vulnerable ExtractEmbeddedFiles example could cause files to be written outside the intended restricted directory, potentially leading to unauthorized file writes in directories with similar path prefixes. This could result in data corruption or unauthorized modification of files in those directories if the user running the code has write permissions there. The vulnerability affects only users who have incorporated the example code into their own production environment.
Mitigation Recommendations
Users should update to Apache PDFBox version 2.0.37 or 3.0.8 once these versions are available, as they contain the corrected example code. Until then, users who have copied the ExtractEmbeddedFiles example into their own code should apply the fix provided in GitHub PR 427 to properly validate file paths and prevent path traversal. The example code in the official project repository has been corrected accordingly. No other mitigation guidance is provided or necessary.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-03-24T17:06:35.279Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ddf7fa82d89c981f0815e6
Added to database: 4/14/2026, 8:16:58 AM
Last enriched: 4/14/2026, 8:31:57 AM
Last updated: 4/14/2026, 12:13:05 PM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.