CVE-2026-40280
published 2026-05-05CVE-2026-40280: Gotenberg is an API-based document conversion tool. In versions 8.30.1 and earlier, the default private-IP deny-lists for the --webhook-deny-list and…
PriorityP351high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.46%
36.7th percentile
Gotenberg is an API-based document conversion tool. In versions 8.30.1 and earlier, the default private-IP deny-lists for the --webhook-deny-list and --api-download-from-deny-list flags use a case-sensitive regular expression (^https?://) to match URL schemes. Because Go's net/url.Parse() normalizes the scheme to lowercase before establishing the outbound TCP connection, an attacker can bypass the deny-list by simply capitalizing part of the URL scheme (e.g., HTTP://, HTTPS://, or Http://). This allows unauthenticated requests to reach internal network services, including private IP ranges, loopback addresses, and cloud instance metadata endpoints such as HTTP://169.254.169.254/latest/meta-data/.
This bypasses the same security control that was patched in CVE-2026-27018.
This issue has been fixed in version 8.31.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | gotenberg_gotenberg_v8 | >= 0 < 8.31.0 | 8.31.0 |
| thecodingmachine | gotenberg | < 8.31.0 | 8.31.0 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.07.8HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
gotenberg 8.1.0 webhook/downloadFrom server-side request forgery
vuldb·2026-04-30
CVE-2026-40280 [CRITICAL] gotenberg 8.1.0 webhook/downloadFrom server-side request forgery
A vulnerability has been found in gotenberg 8.1.0 and classified as critical. This impacts an unknown function of the component webhook/downloadFrom. This manipulation causes server-side request forgery.
This vulnerability is handled as CVE-2026-40280. The attack can be initiated remotely. There is not any exploit available.
The affected component should be upgraded.
GHSA
Gotenberg has case-insensitive URL scheme that bypasses webhook and downloadFrom deny-list SSRF protection
ghsa·2026-04-30·CVSS 7.8
CVE-2026-40280 [HIGH] CWE-918 Gotenberg has case-insensitive URL scheme that bypasses webhook and downloadFrom deny-list SSRF protection
Gotenberg has case-insensitive URL scheme that bypasses webhook and downloadFrom deny-list SSRF protection
## Vulnerability Details
**CWE**: CWE-918 - Server-Side Request Forgery (SSRF)
The default private-IP deny-lists for --webhook-deny-list and --api-download-from-deny-list use a case-sensitive regex (^https?://). Any uppercase URL scheme variant (HTTP://, HTTPS://, Http://) bypasses the pattern. Go's net/url.Parse() normalizes the scheme to lowercase when making the outbound TCP connection, so the connection succeeds normally. Affected: pkg/gotenberg/filter.go:FilterDeadline(), pkg/modules/webhook/webhook.go:42, pkg/modules/api/api.go:199. Confirmed in Docker: http://172.17.0.1:12345/ returns HTTP 403 (blocked), HTTP://172.17.0.1:12345/ returns HTTP 202 (bypassed, TCP connection att
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-05
Published