Description
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, the default deny-lists used by Gotenberg's downloadFrom feature and webhook feature are bypassable. Because the filter is regex-based and case-sensitive, an unauthenticated attacker can supply URLs such as http://[::ffff:127.0.0.1]:... and reach loopback or private HTTP services that the default deny-list is intended to block. This crosses a real security boundary because an external caller can force the server to make outbound requests to internal-only targets. This vulnerability is fixed in 8.31.0.
Published: 2026-05-14
Score: 9.4 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated Server‑Side Request Forgery that bypasses Gotenberg's default deny‑list when processing supplied download URLs and webhook payloads. Because the deny‑list uses a case‑sensitive regular expression, attackers can craft URLs containing IP‑in‑URL encodings such as http://[::ffff:127.0.0.1] that target loopback or other private addresses. The result is that Gotenberg can be commanded to fetch resources from internal‑only HTTP services, effectively exposing internal network endpoints to external callers. This satisfies CWE‑918.

Affected Systems

The issue afflicts the Gotenberg project, an open‑source docker‑based API for PDF generation. All released versions before 8.31.0 are affected. Users who are running a prior build should identify the exact version of their Gotenberg container and consider upgrading.

Risk and Exploitability

The CVSS base score is 9.4, indicating critical severity. The EPSS score is not available, and the vulnerability is not listed in CISA's KEV catalog, but the lack of an official listing does not reduce the inherent danger. Because authentication is not required and an attacker can supply arbitrary URLs over any network channel that can reach the Gotenberg endpoint, the exploitation attack vector is network‑based. The high score reflects the potential for broad internal exposure if the service is reachable from the internet.

Generated by OpenCVE AI on May 14, 2026 at 17:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gotenberg to version 8.31.0 or later, which includes the deny‑list fix.
  • If upgrading is not immediately possible, isolate the Gotenberg service by restricting its outbound network access to only necessary ports or applying a network ACL that blocks connections to internal IP ranges such as 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.
  • Continuously audit outbound traffic and logs for unexpected requests to internal resources, and configure alerts for suspicious patterns.

Generated by OpenCVE AI on May 14, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4vmc-gm8v-m35h Gotenberg vulnerable to unauthenticated SSRF via default deny-list bypass in downloadFrom and webhook
History

Thu, 14 May 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Gotenberg
Gotenberg gotenberg
Vendors & Products Gotenberg
Gotenberg gotenberg

Thu, 14 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, the default deny-lists used by Gotenberg's downloadFrom feature and webhook feature are bypassable. Because the filter is regex-based and case-sensitive, an unauthenticated attacker can supply URLs such as http://[::ffff:127.0.0.1]:... and reach loopback or private HTTP services that the default deny-list is intended to block. This crosses a real security boundary because an external caller can force the server to make outbound requests to internal-only targets. This vulnerability is fixed in 8.31.0.
Title Gotenberg: Unauthenticated SSRF via default deny-list bypass in downloadFrom and webhook
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L'}

Subscriptions

Gotenberg Gotenberg
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T15:19:34.999Z

Reserved: 2026-04-29T00:31:15.724Z

Link: CVE-2026-42596

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T16:16:22.893

Modified: 2026-05-14T16:28:04.847

Link: CVE-2026-42596

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T18:00:14Z

Weaknesses