Description
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the webhook middleware spawns a goroutine that holds a reference to the request's echo.Context after the synchronous handler returns ErrAsyncProcess and Echo recycles the context back to its sync.Pool. When a concurrent request claims the recycled context, c.Reset() clears the store. If the webhook goroutine reaches hardTimeoutMiddleware at that moment, an unchecked type assertion on a nil store entry panics outside any recover() scope, crashing the Gotenberg process. Any anonymous caller reaches the webhook path (default webhook-deny-list filters only the webhook destination, not the submitter). A single-source stress of ~24 webhook requests plus ~60 GET /version requests crashes the process in about two seconds. This vulnerability is fixed in 8.32.0.
Published: 2026-05-14
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated denial of service caused by a race condition (CWE‑362) where an echo.Context object from a sync.Pool is reused by an async goroutine in the webhook middleware. When the original request handler returns an error, the context is recycled; however, the goroutine may still hold a reference to it. If the context has been reset by another request, a nil store entry is accessed and a panic occurs outside of any recover() scope, terminating the Gotenberg process. The crash manifests as a service outage, requiring a restart of the application to resume operation.

Affected Systems

The impact applies to the Gotenberg Docker-powered stateless API for PDF generation. Any Gotenberg installation running a version earlier than 8.32.0 is vulnerable. The vendor identified in the advisory is Gotenberg, with the product commonly deployed under the name Gotenberg.

Risk and Exploitability

The CVSS score of 7.5 indicates a medium to high severity for denial of service. The EPSS score is not available, so the current exploitation probability is unknown, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, an attacker can trigger the crash by sending a small burst of concurrent webhook notifications (approximately 24) combined with a moderate number of GET /version requests, which can happen with roughly two seconds of stress. The attack requires no authentication and can be performed from any network source that can reach the exposed webhook endpoint.

Generated by OpenCVE AI on May 14, 2026 at 18:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Gotenberg installation to version 8.32.0 or newer, which contains the fix for the context reuse bug.
  • Limit access to the webhook endpoint by configuring firewall rules or an access control list to allow only trusted IP addresses or networks.
  • Implement rate limiting or traffic shaping on the webhook route to reduce the likelihood of concurrent requests triggering the context reset race.
  • Set up external monitoring or a watchdog process that detects when the Gotenberg process crashes and automatically restarts it to maintain availability.

Generated by OpenCVE AI on May 14, 2026 at 18:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r33j-c622-r6qp Gotenberg has an unauthenticated denial of service via echo.Context pool reuse in webhook async goroutine
History

Thu, 14 May 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Gotenberg
Gotenberg gotenberg
Vendors & Products Gotenberg
Gotenberg gotenberg

Thu, 14 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the webhook middleware spawns a goroutine that holds a reference to the request's echo.Context after the synchronous handler returns ErrAsyncProcess and Echo recycles the context back to its sync.Pool. When a concurrent request claims the recycled context, c.Reset() clears the store. If the webhook goroutine reaches hardTimeoutMiddleware at that moment, an unchecked type assertion on a nil store entry panics outside any recover() scope, crashing the Gotenberg process. Any anonymous caller reaches the webhook path (default webhook-deny-list filters only the webhook destination, not the submitter). A single-source stress of ~24 webhook requests plus ~60 GET /version requests crashes the process in about two seconds. This vulnerability is fixed in 8.32.0.
Title Gotenberg: Unauthenticated denial of service via echo.Context pool reuse in webhook async goroutine
Weaknesses CWE-362
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Gotenberg Gotenberg
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T15:32:32.308Z

Reserved: 2026-04-29T00:31:15.724Z

Link: CVE-2026-42594

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T16:16:22.613

Modified: 2026-05-14T16:28:04.847

Link: CVE-2026-42594

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T19:00:13Z

Weaknesses