cbcvebase.
CVE-2026-42592
published 2026-05-14

CVE-2026-42592: Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, FilterOutboundURL resolves the hostname, checks the resolved IPs against the…

PriorityP430medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.19%
8.4th percentile
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, FilterOutboundURL resolves the hostname, checks the resolved IPs against the private-address deny-list, and returns only the error. It discards the resolved addresses. Chromium later performs its own DNS resolution when it navigates to the URL. An attacker who controls DNS for a hostname with a short TTL returns a public IP on the first query (Gotenberg allows) and a private IP on the second query (Chromium connects to the attacker-chosen internal address). The CDP Fetch.requestPaused handler re-checks the URL but runs its own DNS resolution, leaving a timing window before Chromium's actual TCP connect. The rendered internal service response returns to the caller as a PDF. This vulnerability is fixed in 8.32.0.

Affected

3 ranges
VendorProductVersion rangeFixed in
github.comgotenberg_gotenberg_v80 – 8.31.0
gotenberggotenberg< 8.32.08.32.0
thecodingmachinegotenberg< 8.32.08.32.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.