CVE Catalog

CVE-2026-42596

Critical
Published: Translated: NVD NIST

Summary

Gotenberg is an API for PDF files that prior to version 8.31.0 had a vulnerability in the downloadFrom and webhook features. The default deny-lists were bypassable, allowing unauthenticated attackers to access internal HTTP services.

Risk Assessment

This vulnerability allows attackers to force the server to make outbound requests to internal resources, violating the organization's security.

Recommendation

It is recommended to update Gotenberg to version 8.31.0 or later to mitigate this vulnerability.

Original NVD description (English source)

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, the default deny-lists used by Gotenberg's downloadFrom feature and webhook feature are bypassable. Because the filter is regex-based and case-sensitive, an unauthenticated attacker can supply URLs such as http://[::ffff:127.0.0.1]:... and reach loopback or private HTTP services that the default deny-list is intended to block. This crosses a real security boundary because an external caller can force the server to make outbound requests to internal-only targets. This vulnerability is fixed in 8.31.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS