Description
Gotenberg is an API for converting document formats. Prior to version 8.29.0, the fix introduced for CVE-2024-21527 can be bypassed using mixed-case or uppercase URL schemes. This issue has been patched in version 8.29.0.
Published: 2026-03-30
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery
Action: Patch
AI Analysis

Impact

The vulnerability results from a case‑insensitive handling of URL schemes in Gotenberg’s Chromium component. An attacker can supply mixed‑case or all‑uppercase schemes that bypass the previously implemented deny‑list, enabling the service to retrieve and process arbitrary external URLs. This flaw allows the service to make unintended outbound network requests, potentially exposing internal resources or loading malicious content that could be used for further attacks. The weakness is identified as a path traversal (CWE‑22) and a server‑side request forgery (CWE‑918).

Affected Systems

All installations of Gotenberg from the Coding Machine prior to release 8.29.0 are vulnerable. The fix is included in version 8.29.0 and newer. Users running earlier versions should consider upgrade or temporary controls.

Risk and Exploitability

The CVSS score of 7.8 classifies the issue as High, and the EPSS score of less than 1 % indicates a low current exploitation rate. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it by sending crafted URLs to a publicly accessible Gotenberg endpoint; no special privileges are required. While the flaw does not directly lead to code execution, the forced outbound request can be used to access internal services, perform data exfiltration, or facilitate additional attacks.

Generated by OpenCVE AI on April 8, 2026 at 18:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gotenberg to version 8.29.0 or later to remove the case‑sensitivity bypass.
  • If an upgrade is not immediately possible, isolate the Gotenberg service behind a network perimeter that denies outbound traffic to untrusted hosts.
  • Ensure that the deny‑list enforcement is verified by attempting to access mixed‑case or uppercase schemes after applying the patch.

Generated by OpenCVE AI on April 8, 2026 at 18:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jjwv-57xh-xr6r Gotenberg has Chromium deny-list bypass via case-insensitive URL scheme (bypass of GHSA-rh2x-ccvw-q7r3)
History

Wed, 08 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Thecodingmachine
Thecodingmachine gotenberg
CPEs cpe:2.3:a:thecodingmachine:gotenberg:*:*:*:*:*:*:*:*
Vendors & Products Thecodingmachine
Thecodingmachine gotenberg
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Gotenberg
Gotenberg gotenberg
Vendors & Products Gotenberg
Gotenberg gotenberg

Tue, 31 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Description Gotenberg is an API for converting document formats. Prior to version 8.29.0, the fix introduced for CVE-2024-21527 can be bypassed using mixed-case or uppercase URL schemes. This issue has been patched in version 8.29.0.
Title Gotenberg: Chromium deny-list bypass via case-insensitive URL scheme
Weaknesses CWE-22
CWE-918
References
Metrics cvssV4_0

{'score': 7.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Gotenberg Gotenberg
Thecodingmachine Gotenberg
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T14:16:20.913Z

Reserved: 2026-02-17T03:08:23.490Z

Link: CVE-2026-27018

cve-icon Vulnrichment

Updated: 2026-03-31T14:16:11.237Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T21:17:08.383

Modified: 2026-04-08T15:57:06.097

Link: CVE-2026-27018

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:00:31Z

Weaknesses