Description
Gotenberg is an API-based document conversion tool. In versions 8.30.1 and earlier, the default private-IP deny-lists for the --webhook-deny-list and --api-download-from-deny-list flags use a case-sensitive regular expression (^https?://) to match URL schemes. Because Go's net/url.Parse() normalizes the scheme to lowercase before establishing the outbound TCP connection, an attacker can bypass the deny-list by simply capitalizing part of the URL scheme (e.g., HTTP://, HTTPS://, or Http://). This allows unauthenticated requests to reach internal network services, including private IP ranges, loopback addresses, and cloud instance metadata endpoints such as HTTP://169.254.169.254/latest/meta-data/.

This bypasses the same security control that was patched in CVE-2026-27018.

This issue has been fixed in version 8.31.0.
Published: 2026-05-05
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from a case-sensitive regular expression used to filter disallowed URL schemes in Gotenberg’s webhook and API download functions. Because Go’s URL parser normalizes the scheme to lowercase before establishing a TCP connection, an attacker can bypass the deny‑list by capitalizing the scheme (e.g., HTTP://). This SSRF flaw allows an unauthenticated attacker to cause Gotenberg to make outbound requests to internal IP ranges, loopback addresses, and cloud metadata endpoints, potentially exposing sensitive data or facilitating further internal attacks. The weakness is classified as CWE-918. The likely attack vector is an unauthenticated HTTP request to the webhook or download endpoint.

Affected Systems

Gotenberg, version 8.30.1 and earlier, which includes the vulnerable deny‑lists logic. The product is an API‑based document conversion tool used in various CI/CD pipelines.

Risk and Exploitability

With a CVSS score of 7.8, this issue qualifies as a high‑severity vulnerability. Although no EPSS score is available, the lack of authentication and the straightforward bypass technique make exploitation likely in environments where Gotenberg is exposed to untrusted clients. The flaw is not listed in CISA KEV, but its potential to expose internal services makes it a significant risk. An attacker can exploit it by sending a crafted request containing a capitalized scheme to the webhook or API download endpoint; the server will then resolve the internal IP address and establish a connection, leaking data or enabling further lateral movement.

Generated by OpenCVE AI on May 5, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gotenberg to version 8.31.0 or later, which contains the fix that enforces case‑sensitive scheme matching.
  • Verify that deny‑lists correctly restrict outbound traffic by testing access to internal IP addresses; confirm that connections to private ranges and metadata endpoints are blocked.
  • If an immediate upgrade is not possible, isolate Gotenberg behind a firewall that blocks outbound traffic to private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16) and restrict inbound access to trusted networks only.

Generated by OpenCVE AI on May 5, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5q7p-7jgv-ww56 Gotenberg has case-insensitive URL scheme that bypasses webhook and downloadFrom deny-list SSRF protection
History

Tue, 05 May 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Gotenberg
Gotenberg gotenberg
Vendors & Products Gotenberg
Gotenberg gotenberg

Tue, 05 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description Gotenberg is an API-based document conversion tool. In versions 8.30.1 and earlier, the default private-IP deny-lists for the --webhook-deny-list and --api-download-from-deny-list flags use a case-sensitive regular expression (^https?://) to match URL schemes. Because Go's net/url.Parse() normalizes the scheme to lowercase before establishing the outbound TCP connection, an attacker can bypass the deny-list by simply capitalizing part of the URL scheme (e.g., HTTP://, HTTPS://, or Http://). This allows unauthenticated requests to reach internal network services, including private IP ranges, loopback addresses, and cloud instance metadata endpoints such as HTTP://169.254.169.254/latest/meta-data/. This bypasses the same security control that was patched in CVE-2026-27018. This issue has been fixed in version 8.31.0.
Title Gotenberg SSRF via case-insensitive URL scheme bypass in webhook and downloadFrom deny-lists
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 7.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N'}

Subscriptions

Gotenberg Gotenberg
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-05T19:52:40.327Z

Reserved: 2026-04-10T20:22:44.034Z

Link: CVE-2026-40280

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T20:16:38.633

Modified: 2026-05-05T20:16:38.633

Link: CVE-2026-40280

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T23:00:10Z

Weaknesses