CVE-2026-42595

HIGH 8.6

Gotenberg: Server-Side Request Forgery via Chromium URL Endpoint with Redirect-Based Deny-List Bypass

CVSS Score

8.6

EPSS Score

0.0%

EPSS Percentile

0th

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, Gotenberg's Chromium URL-to-PDF endpoint (/forms/chromium/convert/url) has no default protection against HTTP/HTTPS-based SSRF. The default deny-list regex only blocks file:// URIs. An unauthenticated attacker can point Chromium at any internal IP — including loopback, RFC 1918 ranges, and cloud metadata endpoints — and receive the response rendered as a PDF. Additionally, even when operators configure a custom deny-list, the protection is bypassed via HTTP redirects. Gotenberg's Chromium instance follows 302 redirects from an attacker-controlled external URL to internal targets without re-validating the redirect destination against the deny-list. This vulnerability is fixed in 8.32.0.

CWE	CWE-918
Vendor	gotenberg
Product	gotenberg
Published	May 14, 2026

Stay Ahead of the Next One

Get instant alerts for gotenberg gotenberg

Be the first to know when new high vulnerabilities affecting gotenberg gotenberg are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

gotenberg / gotenberg

< 8.32.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/gotenberg/gotenberg/security/advisories/GHSA-chwh-f6gm-r836