CVE-2026-26801
📋 TL;DR
This Server-Side Request Forgery (SSRF) vulnerability in pdfmake allows attackers to make unauthorized requests from the server to internal or external systems, potentially exposing sensitive data. It affects server-side deployments of pdfmake versions 0.3.0-beta.2 through 0.3.5 that process untrusted PDF generation requests.
💻 Affected Systems
- pdfmake
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attacker accesses internal services, cloud metadata, or sensitive APIs, leading to data exfiltration, internal network reconnaissance, or secondary attacks on internal systems.
Likely Case
Information disclosure from internal services or cloud metadata endpoints, potentially exposing credentials, configuration data, or internal system information.
If Mitigated
Limited impact with proper URL access policies preventing unauthorized requests to sensitive endpoints.
🎯 Exploit Status
SSRF vulnerabilities are commonly exploited; the vulnerability is in URL resolution logic that processes external resources.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.3.6
Vendor Advisory: https://github.com/bpampuch/pdfmake/releases/tag/0.3.6
Restart Required: No
Instructions:
1. Update pdfmake to version 0.3.6 or later. 2. Configure URL access policy using setUrlAccessPolicy() method. 3. Test PDF generation functionality.
🔧 Temporary Workarounds
Implement URL validation middleware
allAdd server-side validation to reject PDF generation requests containing suspicious URLs before they reach pdfmake.
Network segmentation
allRestrict outbound network access from PDF generation servers to only necessary external services.
🧯 If You Can't Patch
- Implement strict input validation to reject URLs pointing to internal IP ranges or sensitive endpoints.
- Deploy web application firewall (WAF) rules to detect and block SSRF patterns in PDF generation requests.
🔍 How to Verify
Check if Vulnerable:
Check package.json or node_modules/pdfmake/package.json for version number between 0.3.0-beta.2 and 0.3.5.Check Version:
npm list pdfmake | grep pdfmakeVerify Fix Applied:
Confirm version is 0.3.6+ and verify setUrlAccessPolicy() is configured in server-side code.📡 Detection & Monitoring
Log Indicators:
- Warning logs about missing URL access policy in pdfmake
- Unusual outbound requests from PDF generation servers to internal IPs
Network Indicators:
- HTTP requests from PDF servers to cloud metadata endpoints (169.254.169.254, etc.)
- Requests to internal services from PDF generation systems
SIEM Query:
source="pdfmake" AND (message="*URL access policy*" OR message="*warning*" OR message="*ssrf*")