CVE-2026-26801 is a Server-Side Request Forgery (SSRF) vulnerability identified in the pdfmake library, specifically in versions 0.3.0-beta.2 through 0.3.5. The vulnerability is located in the src/URLResolver.js component, which is responsible for resolving URLs when pdfmake processes PDF generation requests. SSRF vulnerabilities allow attackers to trick the server into making HTTP requests to arbitrary URLs, potentially accessing internal resources or sensitive data that would otherwise be inaccessible externally. In this case, the attacker can exploit the lack of URL access restrictions to retrieve sensitive information from internal systems or services reachable by the server. The vulnerability does not require any authentication or user interaction, making it easier to exploit remotely. The fix was introduced in version 0.3.6, which added the setUrlAccessPolicy() method. This method enables server operators to define strict URL access rules, effectively preventing unauthorized SSRF attempts. Additionally, the updated version logs warnings when pdfmake is used server-side without a configured URL access policy, encouraging administrators to enforce security controls. The CVSS v3.1 base score is 7.5 (high), reflecting the vulnerability's network attack vector, low complexity, no privileges required, no user interaction, and high confidentiality impact. No integrity or availability impact is noted. As of now, there are no known exploits in the wild targeting this vulnerability. The vulnerability is classified under CWE-918 (Server-Side Request Forgery).

The primary impact of CVE-2026-26801 is the potential unauthorized disclosure of sensitive information accessible to the vulnerable server. Attackers can exploit the SSRF flaw to make the server perform arbitrary HTTP requests, potentially accessing internal services, metadata endpoints, or other protected resources. This can lead to exposure of confidential data such as internal IP addresses, credentials, or configuration details. While the vulnerability does not directly affect data integrity or system availability, the information disclosure can facilitate further attacks, including lateral movement or privilege escalation within an organization's network. Organizations relying on pdfmake for server-side PDF generation, especially those processing untrusted input or operating in cloud or internal network environments, face increased risk. The ease of exploitation without authentication or user interaction broadens the attack surface. Although no active exploits are reported, the high severity score and widespread use of pdfmake in web applications underline the importance of timely remediation to prevent potential breaches.

To mitigate CVE-2026-26801, organizations should immediately upgrade pdfmake to version 0.3.6 or later, which includes the setUrlAccessPolicy() method to enforce URL access restrictions. Administrators must configure strict URL access policies tailored to their environment, allowing only trusted domains or IP ranges to be accessed by pdfmake during PDF generation. This reduces the risk of SSRF exploitation by limiting outbound requests. Additionally, monitor server logs for warnings related to missing URL access policies, as these indicate potential misconfigurations. Implement network-level controls such as firewall rules or egress filtering to restrict server outbound HTTP requests to only necessary destinations. Review application input validation to ensure that user-supplied data does not influence URL resolution in pdfmake. Employ runtime application self-protection (RASP) or web application firewalls (WAF) with SSRF detection capabilities to identify and block suspicious request patterns. Regularly audit and update dependencies to incorporate security patches promptly. Finally, conduct security assessments and penetration testing focused on SSRF vectors in the application environment to verify the effectiveness of mitigations.