Description
Gotenberg is an API-based document conversion tool. In version 8.29.1, an unauthenticated attacker with network access can force the server to make outbound HTTP POST requests to arbitrary internal or external destinations by supplying a crafted URL in the Gotenberg-Webhook-Url request header. The FilterDeadline function in filter.go is intended to gate outbound URLs, but when both the allow-list and deny-list are empty (the default configuration), it returns nil unconditionally and permits any URL.

This is a blind SSRF: Gotenberg POSTs the converted document to the webhook URL and only checks whether the response status code is an error, but never returns the target's response body to the attacker. An attacker can use this to probe internal network infrastructure by observing whether the error callback is invoked, force POST requests against internal services that perform side effects, and confirm reachability of cloud metadata endpoints. The retryable HTTP client issues up to 4 automatic retries per request, amplifying each probe.

This issue has been fixed in version 8.31.0. As a workaround, configure the GOTENBERG_API_WEBHOOK_ALLOW_LIST environment variable to restrict webhook URLs to known receivers, or set GOTENBERG_API_WEBHOOK_DENY_LIST to block RFC-1918 and link-local address ranges.
Published: 2026-05-05
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Gotenberg, an API‑driven document conversion service, suffered from an unauthenticated blind SSRF vulnerability that allows an attacker to force the server to send arbitrary HTTP POST requests to any URL supplied in the Gotenberg‑Webhook‑Url header. The filtering logic intended to block outbound URLs fails when the allow‑list and deny‑list are empty, the default configuration, allowing any target. Because the response body is never returned and only a status is checked, the attack remains discrete but can be used to probe internal services, confirm reachability of cloud metadata endpoints, and trigger side‑effects on internal hosts.

Affected Systems

The vulnerability exists in Gotenberg version 8.29.1 and earlier when the GOTENBERG_API_WEBHOOK_ALLOW_LIST and GOTENBERG_API_WEBHOOK_DENY_LIST environment variables are left empty, which is the default configuration. The issue was fixed in version 8.31.0, which correctly enforces the filtering logic. All instances running 8.29.1 or older without an explicit allow‑list or deny‑list configured are at risk.

Risk and Exploitability

The attack vector is network‑based and requires only unauthenticated HTTP access to a Gotenberg instance. The CVSS score of 6.9 indicates medium severity. The EPSS score is not available, and the flaw is not listed in the CISA KEV catalog, which suggests that while the vulnerability is known, widespread exploitation may still be limited. Nevertheless, because the blind SSRF can be used for internal reconnaissance or to manipulate services that perform side‑effects, this attack can assist in a broader compromise or disrupt internal operations.

Generated by OpenCVE AI on May 5, 2026 at 22:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gotenberg to 8.31.0 or later to fix the SSRF issue.
  • Configure the GOTENBERG_API_WEBHOOK_ALLOW_LIST environment variable to permit only trusted webhook URLs.
  • Set the GOTENBERG_API_WEBHOOK_DENY_LIST environment variable to block RFC‑1918 and link‑local address ranges.

Generated by OpenCVE AI on May 5, 2026 at 22:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5vh4-rgv7-p9g4 Gotenberg Vulnerable to Unauthenticated SSRF via Unfiltered Webhook URL
History

Tue, 05 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Gotenberg
Gotenberg gotenberg
Vendors & Products Gotenberg
Gotenberg gotenberg

Tue, 05 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description Gotenberg is an API-based document conversion tool. In version 8.29.1, an unauthenticated attacker with network access can force the server to make outbound HTTP POST requests to arbitrary internal or external destinations by supplying a crafted URL in the Gotenberg-Webhook-Url request header. The FilterDeadline function in filter.go is intended to gate outbound URLs, but when both the allow-list and deny-list are empty (the default configuration), it returns nil unconditionally and permits any URL. This is a blind SSRF: Gotenberg POSTs the converted document to the webhook URL and only checks whether the response status code is an error, but never returns the target's response body to the attacker. An attacker can use this to probe internal network infrastructure by observing whether the error callback is invoked, force POST requests against internal services that perform side effects, and confirm reachability of cloud metadata endpoints. The retryable HTTP client issues up to 4 automatic retries per request, amplifying each probe. This issue has been fixed in version 8.31.0. As a workaround, configure the GOTENBERG_API_WEBHOOK_ALLOW_LIST environment variable to restrict webhook URLs to known receivers, or set GOTENBERG_API_WEBHOOK_DENY_LIST to block RFC-1918 and link-local address ranges.
Title Gotenberg unauthenticated blind SSRF via unfiltered webhook URL
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Gotenberg Gotenberg
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-05T20:39:03.651Z

Reserved: 2026-04-06T22:06:40.515Z

Link: CVE-2026-39383

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T21:16:22.397

Modified: 2026-05-05T21:16:22.397

Link: CVE-2026-39383

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T23:00:11Z

Weaknesses