CVE-2026-26801
Published: 10 March 2026
Summary
CVE-2026-26801 is a high-severity SSRF (CWE-918) vulnerability in Pdfmake Pdfmake. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-26801 is a Server-Side Request Forgery (SSRF) vulnerability, mapped to CWE-918, affecting pdfmake versions 0.3.0-beta.2 through 0.3.5. The flaw exists in the src/URLResolver.js component, where it allows a remote attacker to obtain sensitive information. Published on 2026-03-10, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with low attack complexity over the network.
A remote attacker, requiring no privileges or user interaction, can exploit this SSRF vulnerability by inducing the affected pdfmake instance to make unauthorized requests, potentially accessing internal services or sensitive data that would otherwise be inaccessible from external networks.
Mitigation is available in pdfmake version 0.3.6, which patches the issue in URLResolver.js and introduces the setUrlAccessPolicy() method for server operators to enforce custom URL access rules. A warning is now logged when pdfmake is used server-side without a policy configured. Practitioners should upgrade immediately and implement a strict URL access policy to prevent exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10756
Vulnerability details
Server-Side Request Forgery (SSRF) vulnerability in pdfmake versions 0.3.0-beta.2 through 0.3.5 allows a remote attacker to obtain sensitive information via the src/URLResolver.js component. The fix was released in version 0.3.6 which introduces the setUrlAccessPolicy() method allowing server operators to define…
more
URL access rules. A warning is now logged when pdfmake is used server-side without a policy configured.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing pdfmake library (AV:N, no auth) directly enables exploitation of the application to access otherwise unreachable internal/sensitive data.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the SSRF vulnerability by requiring timely upgrade to pdfmake version 0.3.6, which patches the flaw in URLResolver.js.
Enforces configuration of strict URL access policies using the setUrlAccessPolicy() method introduced in the fixed version to block unauthorized outbound requests.
Validates URL inputs to the URLResolver.js component to prevent remote attackers from inducing unauthorized requests to internal services.