CVE-2026-26801 identifies a Server-Side Request Forgery (SSRF) vulnerability in the pdfmake library, specifically in versions 0.3.0-beta.2 through 0.3.5. The vulnerability resides in the src/URLResolver.js component, which is responsible for resolving URLs when pdfmake processes PDF generation requests. SSRF occurs when an attacker can manipulate server-side code to make HTTP requests to arbitrary URLs, potentially accessing internal resources or sensitive information not intended to be exposed externally. In this case, the vulnerability allows remote attackers to craft malicious inputs that cause the server running pdfmake to fetch unauthorized URLs, leading to information disclosure or further internal network reconnaissance. The vulnerability was addressed in version 0.3.6 by introducing the setUrlAccessPolicy() method, which allows server operators to define strict URL access rules, effectively restricting which URLs pdfmake can access during PDF generation. Additionally, pdfmake now logs warnings when used server-side without a configured URL access policy, encouraging administrators to enforce security controls. No CVSS score has been assigned yet, and no known exploits have been reported in the wild. The vulnerability is significant for environments where pdfmake is used server-side to generate PDFs from untrusted or user-supplied data, as it could be leveraged to bypass network segmentation or access sensitive internal endpoints.

The SSRF vulnerability in pdfmake can lead to unauthorized internal network scanning, access to sensitive internal services, and potential leakage of confidential information. Organizations using vulnerable pdfmake versions in server-side PDF generation workflows are at risk of attackers exploiting this flaw to pivot into internal systems or exfiltrate data. This can compromise confidentiality and potentially integrity if internal services are manipulated. The impact is heightened in environments where pdfmake processes untrusted input or where internal network resources are accessible but not externally exposed. Although no known exploits exist currently, the ease of exploitation typical of SSRF vulnerabilities combined with the widespread use of pdfmake in web applications and services could lead to significant security incidents if left unmitigated. The availability impact is generally low but could increase if attackers leverage SSRF to trigger denial-of-service conditions on internal services.

Organizations should immediately upgrade pdfmake to version 0.3.6 or later to obtain the fix for CVE-2026-26801. Beyond upgrading, it is critical to configure the setUrlAccessPolicy() method to explicitly define and restrict allowed URL patterns, minimizing the attack surface for SSRF. Server operators should audit all server-side uses of pdfmake to ensure no untrusted input is processed without proper validation and sanitization. Network-level controls such as firewall rules or internal segmentation should be employed to limit the server's ability to make arbitrary outbound HTTP requests, especially to sensitive internal endpoints. Monitoring and alerting on unusual outbound requests from servers running pdfmake can help detect exploitation attempts. Additionally, reviewing application logs for the new warnings about missing URL access policies can identify vulnerable deployments. Regular security assessments and penetration testing should include checks for SSRF vulnerabilities in PDF generation components.