Description
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the /forms/chromium/convert/url and /forms/chromium/screenshot/url routes accept url=file:///tmp/... from anonymous callers. The default Chromium deny-list intentionally exempts file:///tmp/ so HTML/Markdown routes can load their own request-local assets, and those routes apply a per-request AllowedFilePrefixes guard to scope the read. The URL routes never set AllowedFilePrefixes, so the scope guard silently skips. Alice enumerates /tmp/, walks Gotenberg's per-request working directories, and reads the raw source files of other in-flight conversions as rendered PDF output. This vulnerability is fixed in 8.32.0.
Published: 2026-05-14
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to read arbitrary files located under /tmp by supplying a file:// URL to the Chromium conversion and screenshot routes. The affected routes do not enforce the per-request AllowedFilePrefixes guard, which is normally used to restrict file access to per‑request working directories. Consequently, an attacker can enumerate files in /tmp, locate Gotenberg’s temporary directories for other conversion jobs, and read the raw source files that will be rendered into PDFs. The result is an information disclosure that could expose sensitive data associated with other users’ conversions. This weakness is classified under CWE‑73 (Absolute Path Traversal) and CWE‑918 (Server‑Side Request Forgery).

Affected Systems

Gotenberg versions prior to 8.32.0, including all 8.31.x releases and earlier. The product is a Docker‑powered stateless API used for PDF generation and rendering.

Risk and Exploitability

The CVSS score is 5.9, indicating a medium severity risk. EPSS data is not available, and the vulnerability is not listed in CISA KEV, suggesting no publicly known exploitation at this time. The attack can be performed by anyone who can access the anonymous URL routes, meaning no authentication is required. The attacker only needs to craft a URL pointing to a file:// path within /tmp and submit it against the exposed endpoints. The absence of authentication or input validation makes the exploit straightforward once the routes are reachable.

Generated by OpenCVE AI on May 14, 2026 at 17:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gotenberg to version 8.32.0 or later, where the AllowedFilePrefixes guard is correctly applied to URL routes.
  • If upgrade is not immediately possible, restrict access to the /forms/chromium/convert/url and /forms/chromium/screenshot/url endpoints to authenticated users only or block them entirely for unauthenticated traffic.
  • Configure a stricter AllowedFilePrefixes policy or disable the file:// scheme on the Chromium routes to ensure no files outside the intended working directory are readable.

Generated by OpenCVE AI on May 14, 2026 at 17:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g924-cjx7-2rjw Gotenberg allows Chromium URL conversion routes to read arbitrary files under /tmp via file:// scheme
History

Thu, 14 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Gotenberg
Gotenberg gotenberg
Vendors & Products Gotenberg
Gotenberg gotenberg

Thu, 14 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the /forms/chromium/convert/url and /forms/chromium/screenshot/url routes accept url=file:///tmp/... from anonymous callers. The default Chromium deny-list intentionally exempts file:///tmp/ so HTML/Markdown routes can load their own request-local assets, and those routes apply a per-request AllowedFilePrefixes guard to scope the read. The URL routes never set AllowedFilePrefixes, so the scope guard silently skips. Alice enumerates /tmp/, walks Gotenberg's per-request working directories, and reads the raw source files of other in-flight conversions as rendered PDF output. This vulnerability is fixed in 8.32.0.
Title Gotenberg: Chromium URL conversion routes read arbitrary files under /tmp via file:// scheme
Weaknesses CWE-73
CWE-918
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Gotenberg Gotenberg
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T18:04:08.631Z

Reserved: 2026-04-29T00:31:15.724Z

Link: CVE-2026-42597

cve-icon Vulnrichment

Updated: 2026-05-14T18:04:00.523Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-14T16:16:23.037

Modified: 2026-05-14T18:16:48.200

Link: CVE-2026-42597

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T17:45:25Z

Weaknesses