CVE-2026-42594
published 2026-05-14CVE-2026-42594: Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the webhook middleware spawns a goroutine that holds a reference to the request's…
PriorityP343high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.35%
26.7th percentile
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the webhook middleware spawns a goroutine that holds a reference to the request's echo.Context after the synchronous handler returns ErrAsyncProcess and Echo recycles the context back to its sync.Pool. When a concurrent request claims the recycled context, c.Reset() clears the store. If the webhook goroutine reaches hardTimeoutMiddleware at that moment, an unchecked type assertion on a nil store entry panics outside any recover() scope, crashing the Gotenberg process. Any anonymous caller reaches the webhook path (default webhook-deny-list filters only the webhook destination, not the submitter). A single-source stress of ~24 webhook requests plus ~60 GET /version requests crashes the process in about two seconds. This vulnerability is fixed in 8.32.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | gotenberg_gotenberg_v8 | >= 0 < 8.32.0 | 8.32.0 |
| gotenberg | gotenberg | < 8.32.0 | 8.32.0 |
| thecodingmachine | gotenberg | < 8.32.0 | 8.32.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Gotenberg up to 8.31.x PDF File c.Reset echo.Context race condition (GHSA-r33j-c622-r6qp)
vuldb·2026-05-14·CVSS 7.5
CVE-2026-42594 [HIGH] Gotenberg up to 8.31.x PDF File c.Reset echo.Context race condition (GHSA-r33j-c622-r6qp)
A vulnerability was found in Gotenberg up to 8.31.x and classified as problematic. This issue affects the function c.Reset of the component PDF File Handler. The manipulation of the argument echo.Context results in race condition.
This vulnerability is identified as CVE-2026-42594. The attack can be executed remotely. There is not any exploit available.
It is suggested to upgrade the affected component.
GHSA
Gotenberg has an unauthenticated denial of service via echo.Context pool reuse in webhook async goroutine
ghsa·2026-05-07
CVE-2026-42594 [HIGH] CWE-362 Gotenberg has an unauthenticated denial of service via echo.Context pool reuse in webhook async goroutine
Gotenberg has an unauthenticated denial of service via echo.Context pool reuse in webhook async goroutine
## Summary
The webhook middleware spawns a goroutine that holds a reference to the request's `echo.Context` after the synchronous handler returns `ErrAsyncProcess` and Echo recycles the context back to its `sync.Pool`. When a concurrent request claims the recycled context, `c.Reset()` clears the store. If the webhook goroutine reaches `hardTimeoutMiddleware` at that moment, an unchecked type assertion on a nil store entry panics outside any `recover()` scope, crashing the Gotenberg process. Any anonymous caller reaches the webhook path (default `webhook-deny-list` filters only the webhook destination, not the submitter). A single-source stress of ~24 webhook requests plus ~60 `GET /v
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-14
Published