CVE-2026-26801 - Vulnerability Details

- SSRF Vulnerability in pdfmake Source Resolver Allows Remote Information Disclosure

Description

Server-Side Request Forgery (SSRF) vulnerability in pdfmake versions 0.3.0-beta.2 through 0.3.5 allows a remote attacker to obtain sensitive information via the src/URLResolver.js component. The fix was released in version 0.3.6 which introduces the setUrlAccessPolicy() method allowing server operators to define URL access rules. A warning is now logged when pdfmake is used server-side without a policy configured.

Published: 2026-03-10

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a Server‑Side Request Forgery in the pdfmake library's URLResolver.js component. A remote attacker can provoke the server to resolve arbitrary URLs, which may leak internal data or external resources. The flaw is identified as CWE‑918 and allows attackers to read sensitive information from the server environment.

Affected Systems

Affected versions are pdfmake 0.3.0‑beta.2 through 0.3.5. Any deployment that imports pdfmake in server‑side code without a URL access policy is at risk. The patch was released in 0.3.6 and introduces setUrlAccessPolicy and a runtime warning when no policy is defined.

Risk and Exploitability

The CVSS score is 7.5, indicating a high severity. The EPSS score is less than 1%, suggesting low current exploitation likelihood, and the vulnerability is not listed in the KEV catalog. However, because SSRF can be leveraged to access internal resources, the risk remains significant for applications exposed to untrusted inputs. The attack vector likely involves supplying a malicious URL parameter to pdfmake during document generation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

Vendor Product Confidence Versions

Bpampuch

Pdfmake

80%

Version	Status	Scheme	Platform
`[0.3.0-beta.2,0.3.5]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade pdfmake to version 0.3.6 or later.
If upgrading is not immediately possible, configure a URL access policy by invoking setUrlAccessPolicy to restrict permitted domains.
Monitor application logs for the warning emitted when no policy is configured and add a policy if any usage is detected.
Avoid using pdfmake in server‑side contexts that accept untrusted input, or isolate that code with network restrictions.

Generated by OpenCVE AI on April 16, 2026 at 03:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-wp52-r2fp-4vmr	pdfmake is vulnerable to server-side request forgery (SSRF)

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00022.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/bpampuch/pdfmake
https://github.com/bpampuch/pdfmake/blob/master/src/URLResolver.js
https://github.com/bpampuch/pdfmake/pull/2920
https://github.com/bpampuch/pdfmake/releases/tag/0.3.6
https://mariopepe.github.io/cve-2026-26801-pdfmake-ssrf

History

Thu, 16 Apr 2026 04:15:00 +0000

Type	Values Removed	Values Added
Title		SSRF Vulnerability in pdfmake Source Resolver Allows Remote Information Disclosure

Tue, 17 Mar 2026 17:00:00 +0000

Type	Values Removed	Values Added
References		https://mariopepe.github.io/cve-2026-26801-pdfmake-ssrf

Wed, 11 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Bpampuch Bpampuch pdfmake
Vendors & Products		Bpampuch Bpampuch pdfmake

Tue, 10 Mar 2026 19:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-918
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 10 Mar 2026 18:30:00 +0000

Type	Values Removed	Values Added
Description		Server-Side Request Forgery (SSRF) vulnerability in pdfmake versions 0.3.0-beta.2 through 0.3.5 allows a remote attacker to obtain sensitive information via the src/URLResolver.js component. The fix was released in version 0.3.6 which introduces the setUrlAccessPolicy() method allowing server operators to define URL access rules. A warning is now logged when pdfmake is used server-side without a policy configured.
References		https://github.com/bpampuch/pdfmake https://github.com/bpampuch/pdfmake/blob/master/src/URLResolver.js https://github.com/bpampuch/pdfmake/pull/2920 https://github.com/bpampuch/pdfmake/releases/tag/0.3.6

Subscriptions

Bpampuch Pdfmake

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-03-10T00:00:00.000Z

Updated: 2026-03-17T16:36:36.743Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26801

Vulnrichment

Updated: 2026-03-10T18:51:06.465Z

NVD

Status : Awaiting Analysis

Published: 2026-03-10T19:17:17.430

Modified: 2026-03-17T17:16:15.193

Link: CVE-2026-26801

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T04:00:09Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object