CVE-2026-34586 is an authorization bypass vulnerability identified in the PdfDing application, a self-hosted PDF manager, viewer, and editor developed by mrmn2. The vulnerability stems from the function check_shared_access_allowed(), which prior to version 1.7.1, only checks for the existence of a valid session but fails to verify critical access control parameters such as whether the shared PDF has become inactive due to expiration, exceeded maximum view counts, or has been soft-deleted. The Serve and Download endpoints rely exclusively on this flawed function to authorize access to shared PDF content. As a result, users who had legitimate access previously can continue to access shared documents even after the intended access period has expired, the view limit has been reached, or the document has been marked deleted. This represents an incorrect authorization flaw categorized under CWE-863 (Incorrect Authorization). The vulnerability allows an attacker with low privileges (authenticated user) to bypass intended access restrictions without requiring any user interaction. The CVSS v3.1 base score is 6.5, reflecting a medium severity level, with a vector indicating network attack vector, low attack complexity, privileges required, no user interaction, unchanged scope, high confidentiality impact, and no impact on integrity or availability. Although no known exploits have been reported in the wild, the flaw poses a risk to confidentiality of sensitive documents shared via PdfDing. The issue has been addressed in PdfDing version 1.7.1 by enhancing the authorization checks to include validation of the shared PDF's inactive status and deletion state.

The primary impact of this vulnerability is unauthorized continued access to shared PDF documents beyond their intended access controls, potentially exposing sensitive or confidential information. Organizations relying on PdfDing for document sharing may face data confidentiality breaches if expired or deleted shared PDFs remain accessible to previously authorized users. This can lead to leakage of intellectual property, personally identifiable information, or other sensitive data. Since the vulnerability does not affect integrity or availability, the risk is confined to confidentiality. The ease of exploitation (low complexity, network accessible, no user interaction) combined with the medium severity score indicates a moderate risk. Organizations with strict data governance, compliance requirements, or handling sensitive documents are particularly at risk. The lack of known exploits in the wild reduces immediate threat but does not eliminate the risk of future exploitation. Failure to patch may result in unauthorized data exposure and potential regulatory or reputational consequences.

Organizations using PdfDing should immediately upgrade to version 1.7.1 or later, where the vulnerability has been patched by enforcing proper authorization checks that validate shared PDF expiration, view limits, and deletion status. Until upgrade is possible, administrators should consider disabling the Serve and Download endpoints for shared PDFs or restrict access to trusted users only. Implement monitoring and logging of access to shared PDFs to detect anomalous or unauthorized access attempts. Review and tighten session management policies to limit session reuse or prolonged access. Additionally, conduct audits of shared PDF content to identify any sensitive documents that may have been exposed due to this flaw. Educate users about the importance of revoking shared document access promptly and using secure sharing practices. Finally, maintain an up-to-date inventory of PdfDing instances and ensure timely application of security patches.