CVE-2026-42592
published 2026-05-14CVE-2026-42592: Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, FilterOutboundURL resolves the hostname, checks the resolved IPs against the…
PriorityP430medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.19%
8.4th percentile
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, FilterOutboundURL resolves the hostname, checks the resolved IPs against the private-address deny-list, and returns only the error. It discards the resolved addresses. Chromium later performs its own DNS resolution when it navigates to the URL. An attacker who controls DNS for a hostname with a short TTL returns a public IP on the first query (Gotenberg allows) and a private IP on the second query (Chromium connects to the attacker-chosen internal address). The CDP Fetch.requestPaused handler re-checks the URL but runs its own DNS resolution, leaving a timing window before Chromium's actual TCP connect. The rendered internal service response returns to the caller as a PDF. This vulnerability is fixed in 8.32.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | gotenberg_gotenberg_v8 | 0 – 8.31.0 | — |
| gotenberg | gotenberg | < 8.32.0 | 8.32.0 |
| thecodingmachine | gotenberg | < 8.32.0 | 8.32.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Gotenberg up to 8.31.x Internal Service toctou (GHSA-2pmr-289p-44r3)
vuldb·2026-05-14·CVSS 5.3
CVE-2026-42592 [MEDIUM] Gotenberg up to 8.31.x Internal Service toctou (GHSA-2pmr-289p-44r3)
A vulnerability labeled as problematic has been found in Gotenberg up to 8.31.x. Affected is an unknown function of the component Internal Service. The manipulation results in time-of-check time-of-use.
This vulnerability is reported as CVE-2026-42592. The attack can be launched remotely. No exploit exists.
The affected component should be upgraded.
GHSA
Gotenberg's DNS rebinding bypasses SSRF validation on Chromium URL conversion routes
ghsa·2026-05-07
CVE-2026-42592 [MEDIUM] CWE-367 Gotenberg's DNS rebinding bypasses SSRF validation on Chromium URL conversion routes
Gotenberg's DNS rebinding bypasses SSRF validation on Chromium URL conversion routes
## Summary
`FilterOutboundURL` resolves the hostname, checks the resolved IPs against the private-address deny-list, and returns only the error. It discards the resolved addresses. Chromium later performs its own DNS resolution when it navigates to the URL. An attacker who controls DNS for a hostname with a short TTL returns a public IP on the first query (Gotenberg allows) and a private IP on the second query (Chromium connects to the attacker-chosen internal address). The CDP `Fetch.requestPaused` handler re-checks the URL but runs its own DNS resolution, leaving a timing window before Chromium's actual TCP connect. The rendered internal service response returns to the caller as a PDF.
## Details
`pk
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-14
Published