Bug 2445994 (CVE-2026-23907)

Summary: CVE-2026-23907 org.apache.pdfbox:pdfbox-examples: Apache PDFBox Example: Path Traversal via specially crafted filenames allows arbitrary file write
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: asoldano, ataylor, bbaranow, bmaxwell, brian.stansberry, chfoley, darran.lofthouse, dbruscin, dosoudil, fjuma, fmariani, gmalinko, istudens, ivassile, iweiss, janstey, kvanderr, mosmerov, msvehla, nwallace, pberan, pdelbell, pesilva, pjindal, pmackay, rgodfrey, rstancel, rstepani, smaestri, swoodman, tcunning, tom.jenkinson, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A path traversal vulnerability was identified in the ExtractEmbeddedFiles example provided with Apache PDFBox. The example code constructs extraction paths by directly appending filenames obtained from PDComplexFileSpecification.getFilename() without validating the resulting path. An attacker could exploit this behavior by embedding files in a PDF document with crafted filenames containing path traversal sequences. If the example code is reused in an application without modification, this could cause extracted files to be written outside the intended extraction directory, potentially leading to data corruption or unauthorized file creation.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-03-10 11:01:25 UTC 
This issue affects the 
ExtractEmbeddedFiles example inĀ Apache PDFBox: from 2.0.24 through 2.0.36, from 3.0.0 through 3.0.7.


The ExtractEmbeddedFiles example contains a path traversal vulnerability (CWE-22) because 
the filename that is obtained from 
PDComplexFileSpecification.getFilename() is appended to the extraction path.

Users who have copied this example into their production code should 
review it to ensure that the extraction path is acceptable. The example 
has been changed accordingly, now the initial path and the extraction 
paths are converted into canonical paths and it is verified that 
extraction path contains the initial path. The documentation has also 
been adjusted.