CVE-2026-34366 Overview
CVE-2026-34366 is a Server-Side Request Forgery (SSRF) vulnerability discovered in InvoiceShelf, an open-source web and mobile application designed for tracking expenses, payments, and creating professional invoices and estimates. The vulnerability exists in the Payment receipt PDF generation module where user-supplied HTML in the payment Notes field is passed unsanitized to the Dompdf rendering library. This allows attackers to force the server to fetch arbitrary remote resources referenced in the markup.
Critical Impact
Authenticated attackers with high privileges can exploit this SSRF vulnerability to access internal services, exfiltrate sensitive data from internal network resources, or perform reconnaissance on internal infrastructure. The vulnerability is exploitable directly via the PDF receipt endpoint, regardless of whether automated email attachments are enabled.
Affected Products
- InvoiceShelf versions prior to 2.2.0
- InvoiceShelf web application with PDF receipt generation functionality
- InvoiceShelf installations using the Dompdf rendering library
Discovery Timeline
- 2026-03-31 - CVE-2026-34366 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-34366
Vulnerability Analysis
This Server-Side Request Forgery (SSRF) vulnerability (classified as CWE-918) affects the payment receipt PDF generation functionality in InvoiceShelf. The core issue stems from the application's failure to properly sanitize user-supplied HTML content before passing it to the Dompdf rendering library for PDF generation.
When a user enters content in the payment Notes field, this data is directly incorporated into the PDF generation process without adequate validation or sanitization. Dompdf, by design, attempts to fetch external resources (such as images, stylesheets, or fonts) referenced in the HTML markup. An attacker can exploit this behavior by injecting malicious HTML elements that reference internal network resources or sensitive endpoints.
The vulnerability requires network access and elevated privileges to exploit, but does not require user interaction. Due to the scope change indicator in the vulnerability assessment, a successful exploit can affect resources beyond the vulnerable component's security scope, potentially compromising confidentiality of internal systems and causing limited integrity impacts.
Root Cause
The root cause of CVE-2026-34366 lies in the lack of input sanitization in the payment Notes field processing pipeline. The application accepts arbitrary HTML content from authenticated users with appropriate privileges and passes this content directly to the Dompdf library without filtering or validating URLs referenced in HTML elements such as <img>, <link>, <iframe>, or similar tags that can trigger server-side HTTP requests.
The Dompdf library, when processing these HTML elements, makes HTTP requests to fetch the referenced resources from the server's perspective. This design allows an attacker to craft malicious payloads that force the server to make requests to internal services, cloud metadata endpoints, or other sensitive resources that should not be accessible externally.
Attack Vector
The attack is executed via network access to the PDF receipt generation endpoint. An authenticated attacker with high privileges can inject specially crafted HTML markup into the payment Notes field containing references to internal resources or sensitive endpoints. When the PDF generation is triggered—either manually through the PDF receipt endpoint or through automated processes—the Dompdf library processes the malicious HTML and initiates outbound HTTP requests to the attacker-specified targets.
Potential attack scenarios include:
- Accessing cloud metadata services (e.g., AWS metadata at 169.254.169.254) to retrieve instance credentials
- Scanning internal network services and ports to map infrastructure
- Accessing internal APIs or services that are not exposed externally
- Exfiltrating data from internal databases or file systems accessible via HTTP
The vulnerability is particularly dangerous because it can be triggered through the direct PDF receipt endpoint, bypassing any restrictions that might be in place for email attachment functionality.
Detection Methods for CVE-2026-34366
Indicators of Compromise
- Unusual outbound HTTP requests originating from the InvoiceShelf application server to internal IP ranges (10.x.x.x, 172.16.x.x-172.31.x.x, 192.168.x.x)
- Requests to cloud metadata endpoints such as 169.254.169.254 from the application server
- Payment records containing suspicious HTML tags like <img>, <iframe>, <link>, or <object> with internal or localhost URLs in the Notes field
- PDF generation errors or timeouts that may indicate failed SSRF attempts against non-responsive internal endpoints
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block SSRF patterns in request parameters, particularly looking for internal IP addresses and cloud metadata URLs
- Monitor application logs for PDF generation requests that reference suspicious URLs or internal network addresses
- Deploy network segmentation monitoring to detect unexpected traffic from the web application tier to internal services
- Use SentinelOne Singularity Platform to monitor for anomalous network behavior from web application processes
Monitoring Recommendations
- Enable detailed logging for all PDF generation operations, including the content being rendered
- Configure network monitoring to alert on outbound connections from the InvoiceShelf server to internal network ranges
- Implement egress filtering and monitor for violations that may indicate SSRF exploitation attempts
- Review payment Notes field content periodically for suspicious HTML patterns
How to Mitigate CVE-2026-34366
Immediate Actions Required
- Upgrade InvoiceShelf to version 2.2.0 or later immediately, as this version contains the security patch for the vulnerability
- If immediate upgrade is not possible, implement input sanitization at the web application firewall level to strip HTML tags from the payment Notes field
- Review existing payment records for any suspicious HTML content that may indicate prior exploitation attempts
- Restrict network egress from the InvoiceShelf application server to only required external services
Patch Information
The vulnerability has been addressed in InvoiceShelf version 2.2.0. Organizations should upgrade to this version or later to remediate the vulnerability. For detailed information about the patch and release notes, refer to the GitHub Release 2.2.0. Additional technical details about the vulnerability are available in the GitHub Security Advisory GHSA-38hf-fq8x-q49r.
Workarounds
- Implement strict input validation on the payment Notes field to strip or encode all HTML tags before storage and processing
- Configure Dompdf to disable remote resource fetching by setting the isRemoteEnabled option to false if external resources are not required for PDF generation
- Deploy network-level egress filtering to prevent the application server from making requests to internal network ranges and cloud metadata endpoints
- Consider implementing a content security policy for PDF generation that whitelists only approved external resource domains
# Configuration example - Restrict Dompdf remote fetching
# In your InvoiceShelf configuration or Dompdf initialization:
# Set DOMPDF_ENABLE_REMOTE to false in environment configuration
echo "DOMPDF_ENABLE_REMOTE=false" >> .env
# Network-level mitigation: Block metadata endpoint access (iptables example)
iptables -A OUTPUT -d 169.254.169.254 -j DROP
# Block access to internal network ranges from web server
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
