Cyber Resilience

CVE-2026-26801

HighPublic PoC

Published: 10 March 2026

Published
10 March 2026
Modified
07 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0003 8.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26801 is a high-severity SSRF (CWE-918) vulnerability in Pdfmake Pdfmake. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-26801 is a Server-Side Request Forgery (SSRF) vulnerability, mapped to CWE-918, affecting pdfmake versions 0.3.0-beta.2 through 0.3.5. The flaw exists in the src/URLResolver.js component, where it allows a remote attacker to obtain sensitive information. Published on 2026-03-10, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with low attack complexity over the network.

A remote attacker, requiring no privileges or user interaction, can exploit this SSRF vulnerability by inducing the affected pdfmake instance to make unauthorized requests, potentially accessing internal services or sensitive data that would otherwise be inaccessible from external networks.

Mitigation is available in pdfmake version 0.3.6, which patches the issue in URLResolver.js and introduces the setUrlAccessPolicy() method for server operators to enforce custom URL access rules. A warning is now logged when pdfmake is used server-side without a policy configured. Practitioners should upgrade immediately and implement a strict URL access policy to prevent exploitation.

EU & UK References

Vulnerability details

Server-Side Request Forgery (SSRF) vulnerability in pdfmake versions 0.3.0-beta.2 through 0.3.5 allows a remote attacker to obtain sensitive information via the src/URLResolver.js component. The fix was released in version 0.3.6 which introduces the setUrlAccessPolicy() method allowing server operators to define…

more

URL access rules. A warning is now logged when pdfmake is used server-side without a policy configured.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SSRF in public-facing pdfmake library (AV:N, no auth) directly enables exploitation of the application to access otherwise unreachable internal/sensitive data.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-6514Shared CWE-918
CVE-2026-44116Shared CWE-918
CVE-2026-21887Shared CWE-918
CVE-2026-31910Shared CWE-918
CVE-2026-48153Shared CWE-918
CVE-2026-45298Shared CWE-918
CVE-2026-39362Shared CWE-918
CVE-2026-31989Shared CWE-918
CVE-2025-27652Shared CWE-918
CVE-2026-42352Shared CWE-918

Affected Assets

pdfmake
pdfmake
0.3.0 · 0.3.1 — 0.3.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the SSRF vulnerability by requiring timely upgrade to pdfmake version 0.3.6, which patches the flaw in URLResolver.js.

prevent

Enforces configuration of strict URL access policies using the setUrlAccessPolicy() method introduced in the fixed version to block unauthorized outbound requests.

prevent

Validates URL inputs to the URLResolver.js component to prevent remote attackers from inducing unauthorized requests to internal services.

References