Subscribe to the Non-Human & AI Identity Journal

What breaks when PDF readers are allowed to execute active content by default?

Default active-content handling turns a document viewer into a runtime execution surface. That can allow JavaScript, form actions, or remote references to trigger network activity, leak authentication material, or exploit a reader flaw. Security teams should treat PDF rendering as a controlled execution path, not a passive file preview, especially on managed endpoints that hold enterprise credentials.

Why This Matters for Security Teams

When PDF readers execute active content by default, the viewer stops behaving like a passive display layer and starts acting like a client runtime with outbound reach, scripting support, and document-triggered actions. That shifts risk from simple file handling into identity exposure, network egress, and exploit execution. NIST’s NIST SP 800-53 Rev 5 Security and Privacy Controls treats controlled execution, application hardening, and boundary protection as separate security concerns for a reason.

This matters even more on managed endpoints where enterprise browser sessions, SSO tokens, cached secrets, and attached certificates are already present. A malicious PDF can trigger remote fetches, exploit embedded scripting, or cause the reader to reach out to attacker-controlled infrastructure before a user realizes the file is unsafe. NHIMG’s Ultimate Guide to NHIs notes that 79% of organisations have experienced secrets leaks, with 77% of those incidents causing tangible damage, which is exactly why document viewers must not be allowed to behave like general-purpose execution surfaces.

Security teams often assume “it is only a document” until a reader plugin, embedded action, or compromised PDF parser turns preview into execution and the incident shows up first as credential exposure rather than malware detection. In practice, many security teams encounter this only after a user opens a routine attachment and the reader has already made the first network call.

How It Works in Practice

The safest operating model is to treat PDF handling as a constrained trust boundary. That means disabling JavaScript, blocking automatic form submission, preventing silent remote content retrieval, and restricting launch actions or embedded file attachments unless there is an explicit business need. Current guidance suggests that the reader should default to no network activity and no privileged action unless policy allows it at runtime.

In environments with higher assurance needs, the viewer should run with application control, least privilege, and attachment isolation. A browser-based preview service or sandboxed rendering tier can reduce direct exposure of endpoint credentials, while content disarm and reconstruction can strip active elements before delivery. For identity-sensitive workloads, the issue is not only whether the file is malicious, but whether the reader can become an unwitting bridge to secrets already present on the host. NIST’s controls on software execution and controlled information flow are relevant because they map directly to document-driven egress and privilege containment.

Operationally, teams should validate whether their PDF stack permits:

  • JavaScript execution inside documents
  • Automatic retrieval of remote fonts, images, or linked files
  • Form submission without user confirmation
  • Launch actions that open local programs or scripts
  • Plugin-based rendering paths with separate trust boundaries

NHIMG’s Ultimate Guide to NHIs also highlights that only 5.7% of organisations have full visibility into service accounts, which is a useful reminder that document-triggered activity often reaches more than one identity layer. These controls tend to break down on legacy desktop fleets and heavily customized reader deployments because plugin behavior, cached sessions, and inconsistent patching create multiple execution paths that policy cannot reliably normalize.

Common Variations and Edge Cases

Tighter reader controls often increase user friction and support overhead, requiring organisations to balance preview convenience against the cost of blocking legitimate document features. That tradeoff is real, especially for teams that rely on interactive forms, signed PDFs, or workflow annotations.

There is no universal standard for this yet across every reader and platform, so best practice is evolving. Some business units may need limited JavaScript or trusted form actions, but those exceptions should be explicitly scoped, logged, and reviewed. For high-risk users, the default should still be deny, with exceptions only for vetted documents and trusted origins. OWASP guidance on insecure file handling is consistent with this stance, and NHIMG’s research on NHI exposure shows why: once a reader can reach network resources, it can also interact with the same credential material that protects mail, SSO, and cloud consoles.

Edge cases include digitally signed documents, accessibility features, and embedded multimedia. These are not automatically malicious, but they can expand the attack surface in ways that security tooling does not always classify correctly. Where regulatory or operational requirements force active content to remain enabled, the safer pattern is to isolate the viewer in a hardened sandbox, prevent direct access to enterprise secrets, and monitor for unexpected outbound requests. The problem becomes harder in VDI, shared kiosks, and developer workstations because the reader inherits broader trust, local tooling, and long-lived authenticated sessions.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10, OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Agentic AI Top 10 Active document content becomes an execution surface similar to unsafe agent tool use.
OWASP Non-Human Identity Top 10 NHI-03 Reader-triggered activity can expose or misuse non-human credentials on endpoints.
CSA MAESTRO MAESTRO addresses runtime control and isolation for autonomous or semi-trusted execution.
NIST AI RMF AI RMF governance logic fits runtime risk decisions for dynamic content execution.
NIST CSF 2.0 PR.AC-4 Least privilege limits what a document viewer can reach on a managed endpoint.

Restrict document-triggered actions to explicit policy and sandbox any runtime execution path.