CVE-2022-39019: Lack of authorization check on rendered images from pdftron


Pdftron doesn’t provide any native mechanism to ensure that rendered documents cannot be opened by someone else than the user supposed to access the rendered document. We had to implement our own additional layer of security to check for the current user session and determine if the URLs can be opened or not.

Risk level: High

Fix: Upgrade to version or later.


* Hubshare


We thank Michael Newton <> for responsible disclosure.

Date issued: 2022-08