Description
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the LibreOffice conversion endpoint (/forms/libreoffice/convert) passes uploaded documents directly to LibreOffice without inspecting their content. LibreOffice then fetches any embedded external URLs on its own, completely bypassing the SSRF filters. This vulnerability is fixed in 8.32.0.
Published: 2026-05-14
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Gotenberg is a Docker‑powered stateless API that converts documents to PDF using LibreOffice. Prior to version 8.32.0, the LibreOffice conversion endpoint accepts user‑supplied documents and forwards them directly to LibreOffice without validating their contents. LibreOffice then follows any embedded external URLs contained in the document, which bypasses the built‑in SSRF filters. The result is that an attacker can cause the Gotenberg server to initiate requests to arbitrary internal or external destinations by crafting a malicious document, potentially revealing sensitive information or facilitating further attacks.

Affected Systems

The affected product is Gotenberg from the vendor gotenberg. All installations running any version earlier than 8.32.0 are vulnerable. The vulnerability was introduced in the libreoffice conversion endpoint of the API.

Risk and Exploitability

The CVSS score of 8.2 classifies this as a high‑severity flaw. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is the upload of a crafted document to the LibreOffice conversion endpoint, which causes the LibreOffice process to request embedded URLs, potentially accessing internal hosts or bypassing network controls.

Generated by OpenCVE AI on May 14, 2026 at 17:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Gotenberg version 8.32.0 or later, which removes the SSRF vulnerability.
  • Restrict access to the LibreOffice conversion endpoint to trusted users or networks to limit the potential scope of an SSRF attack.
  • Configure or sandbox LibreOffice so that it cannot fetch external URLs, adding an extra layer of protection if an upgrade is delayed.

Generated by OpenCVE AI on May 14, 2026 at 17:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rm4c-xj6x-49mw Gotenberg has a Server-Side Request Forgery (SSRF) Issue
History

Thu, 14 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Gotenberg
Gotenberg gotenberg
Vendors & Products Gotenberg
Gotenberg gotenberg

Thu, 14 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the LibreOffice conversion endpoint (/forms/libreoffice/convert) passes uploaded documents directly to LibreOffice without inspecting their content. LibreOffice then fetches any embedded external URLs on its own, completely bypassing the SSRF filters. This vulnerability is fixed in 8.32.0.
Title Gotenberg: Server-Side Request Forgery (SSRF) in github.com/gotenberg/gotenberg/v8
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Gotenberg Gotenberg
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T18:07:57.844Z

Reserved: 2026-04-29T00:31:15.724Z

Link: CVE-2026-42591

cve-icon Vulnrichment

Updated: 2026-05-14T18:07:49.203Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-14T16:16:22.163

Modified: 2026-05-14T18:16:48.083

Link: CVE-2026-42591

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T18:30:26Z

Weaknesses