Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Docling RCE and shadow vulnerabilities in AI parsing pipelines


(@lalit)
Member Admin
Joined: 1 year ago
Posts: 164
Topic starter  

TL;DR: Docling can execute arbitrary Python code during YAML parsing when unsafe PyYAML deserialization is triggered, creating CVE-2026-24009 and a shadow vulnerability pattern that can reach downstream systems at runtime, according to Oligo Security. The real issue is not parsing itself, but the assumption that document ingestion is safe enough to trust by default.

NHIMG editorial — based on content published by Oligo Security: Docling RCE: A Shadow Vulnerability Introduced via PyYAML (CVE-2026-24009)

Questions worth separating out

Q: What breaks when a document parser uses unsafe YAML deserialization?

A: The parser stops being a passive data handler and becomes an execution surface.

Q: Why do transitive dependencies create hidden risk in parsing pipelines?

A: Because the application may trust a top-level library while the dangerous behaviour lives deeper in a helper layer.

Q: How can security teams tell whether document parsing is truly safe?

A: They need runtime evidence, not just static review.

Practitioner guidance

  • Audit document ingestion paths for executable loaders Trace every place the application accepts structured documents and confirm whether the runtime can instantiate objects, call functions, or spawn processes during parsing.
  • Constrain the workload identity behind parsing services Run parsers with the smallest feasible filesystem, network, and data-access scope so a parsing exploit cannot immediately reach adjacent systems or high-value data.
  • Block unsafe deserialization at runtime Instrument parsing flows so the security stack can detect object instantiation, process creation, and anomalous execution during document handling.

What's in the full article

Oligo Security's full research covers the operational detail this post intentionally leaves for the source:

  • Runtime call stack evidence showing how the unsafe loader is reached during normal parsing
  • The specific Docling Core fix version and the remediation context around CVE-2026-24009
  • Examples of how the vulnerable path can be triggered through the parser or helper abstractions
  • The runtime protection behaviour the vendor says can block the exploit without terminating the container

👉 Read Oligo Security's analysis of Docling RCE and shadow vulnerability risk →

Docling RCE and shadow vulnerabilities in AI parsing pipelines?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8923
 

Shadow vulnerabilities are not hidden code defects, they are hidden runtime authorities. CVE-2026-24009 exists because the application trusted a parsing path that could execute code during normal workflow execution. That is a governance failure, not just a coding mistake, because the dangerous capability sat inside an assumed-safe helper layer. Practitioners should treat inherited runtime behaviour as part of the identity and control boundary.

A few things that frame the scale:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.

A question worth separating out:

Q: Who should be accountable when a parsing library enables code execution?

A: Accountability should sit with the team that owns the runtime and the workload identity, not only the developer who added the dependency. The control failure spans application design, dependency governance, and runtime protection. Frameworks such as NIST Cybersecurity Framework 2.0 help teams assign ownership across identify, protect, detect, and respond.

👉 Read our full editorial: Docling RCE exposes shadow vulnerability risk in AI parsing flows



   
ReplyQuote
Share: