CVE-2026-33438 is a resource exhaustion vulnerability classified under CWE-770 (Allocation of Resources Without Limits or Throttling) affecting Stirling-PDF versions from 2.1.5 up to 2.5.2. Stirling-PDF is a locally hosted web application designed to perform various PDF file operations, including adding watermarks. The vulnerability resides in the /api/v1/security/add-watermark endpoint, where authenticated users can supply excessively large values for the fontSize and widthSpacer parameters. These parameters control the appearance of the watermark, but the application lacks proper input validation or throttling mechanisms to limit resource consumption. As a result, attackers can trigger excessive memory or CPU usage, leading to denial of service by crashing the server or making the service unavailable. The vulnerability requires authentication but no further user interaction, making it exploitable by any legitimate user with access. The CVSS 3.1 base score is 6.5, reflecting a medium severity due to the impact on availability without affecting confidentiality or integrity. The issue was publicly disclosed on March 26, 2026, and fixed in version 2.5.2 of Stirling-PDF. No known exploits are currently reported in the wild. This vulnerability highlights the importance of input validation and resource management in web applications handling file operations.

The primary impact of CVE-2026-33438 is denial of service, which can disrupt business operations relying on Stirling-PDF for PDF processing tasks. Organizations using vulnerable versions may experience server crashes or unavailability of the PDF watermarking service, potentially halting workflows that depend on document processing. This can lead to operational delays, reduced productivity, and increased support costs. Although the vulnerability does not expose sensitive data or allow unauthorized data modification, the loss of service availability can affect customer trust and business continuity. In environments where Stirling-PDF is integrated into critical document management or compliance systems, the impact could be more severe, potentially affecting regulatory adherence or contractual obligations. Since exploitation requires authentication, insider threats or compromised user accounts pose a significant risk. The absence of known exploits in the wild reduces immediate threat but does not eliminate future exploitation risk.

To mitigate CVE-2026-33438, organizations should upgrade Stirling-PDF to version 2.5.2 or later, where the vulnerability is patched. Until upgrade is possible, implement strict access controls to limit authenticated user permissions, minimizing the number of users who can access the watermark functionality. Monitor and log usage of the /api/v1/security/add-watermark endpoint to detect abnormal parameter values or usage patterns indicative of exploitation attempts. Employ web application firewalls (WAFs) with custom rules to throttle or block requests with unusually large fontSize or widthSpacer parameters. Conduct regular audits of user accounts to prevent unauthorized access and promptly revoke credentials of inactive or suspicious users. Additionally, consider isolating the Stirling-PDF service in a controlled environment with resource limits (e.g., container resource quotas or OS-level cgroups) to prevent a single process from exhausting system resources. Educate users about the risks of misuse and enforce strong authentication mechanisms to reduce insider threat potential.