CVE-2026-42591
published 2026-05-14CVE-2026-42591: Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the LibreOffice conversion endpoint (/forms/libreoffice/convert) passes uploaded…
PriorityP347high8.2CVSS 3.1
AVNACLPRNUINSUCHILAN
EPSS
0.24%
15.5th percentile
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the LibreOffice conversion endpoint (/forms/libreoffice/convert) passes uploaded documents directly to LibreOffice without inspecting their content. LibreOffice then fetches any embedded external URLs on its own, completely bypassing the SSRF filters. This vulnerability is fixed in 8.32.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | gotenberg_gotenberg_v8 | 0 – 8.31.0 | — |
| gotenberg | gotenberg | < 8.32.0 | 8.32.0 |
| thecodingmachine | gotenberg | < 8.32.0 | 8.32.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Gotenberg up to 8.31.x LibreOffice Conversion Endpoint convert server-side request forgery (GHSA-rm4c-xj6x-49mw)
vuldb·2026-05-14·CVSS 8.2
CVE-2026-42591 [HIGH] Gotenberg up to 8.31.x LibreOffice Conversion Endpoint convert server-side request forgery (GHSA-rm4c-xj6x-49mw)
A vulnerability was found in Gotenberg up to 8.31.x and classified as critical. The impacted element is an unknown function in the library /forms/libreoffice/convert of the component LibreOffice Conversion Endpoint. Such manipulation leads to server-side request forgery.
This vulnerability is referenced as CVE-2026-42591. It is possible to launch the attack remotely. No exploit is available.
It is suggested to upgrade the affected component.
GHSA
Gotenberg has a Server-Side Request Forgery (SSRF) Issue
ghsa·2026-05-07
CVE-2026-42591 [HIGH] CWE-918 Gotenberg has a Server-Side Request Forgery (SSRF) Issue
Gotenberg has a Server-Side Request Forgery (SSRF) Issue
### Summary
The SSRF hardening shipped in v8.31.0 only covers outbound URLs that Gotenberg's Go code handles — Chromium asset fetches, webhook delivery, and download-from. The LibreOffice conversion endpoint (`/forms/libreoffice/convert`) passes uploaded documents directly to LibreOffice without inspecting their content. LibreOffice then fetches any embedded external URLs on its own, completely bypassing the SSRF filters.
This was verified on v8.31.0 (latest at time of writing) with a crafted DOCX and got 3 outbound HTTP requests from LibreOffice to the canary server used for testing.
### Details
When a file is uploaded to `/forms/libreoffice/convert`, the route in `pkg/modules/libreoffice/routes.go` reads form parameters and pa
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-14
Published