CVE-2026-42595
published 2026-05-14CVE-2026-42595: Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, Gotenberg's Chromium URL-to-PDF endpoint (/forms/chromium/convert/url) has no…
PriorityP354high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
EPSS
0.31%
23.0th percentile
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, Gotenberg's Chromium URL-to-PDF endpoint (/forms/chromium/convert/url) has no default protection against HTTP/HTTPS-based SSRF. The default deny-list regex only blocks file:// URIs. An unauthenticated attacker can point Chromium at any internal IP — including loopback, RFC 1918 ranges, and cloud metadata endpoints — and receive the response rendered as a PDF. Additionally, even when operators configure a custom deny-list, the protection is bypassed via HTTP redirects. Gotenberg's Chromium instance follows 302 redirects from an attacker-controlled external URL to internal targets without re-validating the redirect destination against the deny-list. This vulnerability is fixed in 8.32.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | gotenberg_gotenberg_v8 | >= 0 < 8.32.0 | 8.32.0 |
| gotenberg | gotenberg | < 8.32.0 | 8.32.0 |
| thecodingmachine | gotenberg | < 8.32.0 | 8.32.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Gotenberg up to 8.31.x URL-to-PDF Endpoint url server-side request forgery (GHSA-chwh-f6gm-r836)
vuldb·2026-05-14·CVSS 8.6
CVE-2026-42595 [HIGH] Gotenberg up to 8.31.x URL-to-PDF Endpoint url server-side request forgery (GHSA-chwh-f6gm-r836)
A vulnerability categorized as critical has been discovered in Gotenberg up to 8.31.x. This vulnerability affects unknown code of the file /forms/chromium/convert/url of the component URL-to-PDF Endpoint. Such manipulation leads to server-side request forgery.
This vulnerability is listed as CVE-2026-42595. The attack may be performed from remote. There is no available exploit.
It is advisable to upgrade the affected component.
GHSA
Gotenberg: Server-Side Request Forgery via Chromium URL Endpoint with Redirect-Based Deny-List Bypass
ghsa·2026-05-11
CVE-2026-42595 [HIGH] CWE-918 Gotenberg: Server-Side Request Forgery via Chromium URL Endpoint with Redirect-Based Deny-List Bypass
Gotenberg: Server-Side Request Forgery via Chromium URL Endpoint with Redirect-Based Deny-List Bypass
A review of 4 published Gotenberg security advisories exposed an SSRF issue. GHSA-pjrr-jgp4-v2fm covers SSRF via the `downloadFrom` endpoint. GHSA-pcrp-7g9h-7qhp covers SSRF via the `webhook` endpoint. Neither advisory addresses SSRF through the primary Chromium URL-to-PDF conversion endpoint (`/forms/chromium/convert/url`), which has no default deny-list for HTTP/HTTPS targets. The redirect-based deny-list bypass described here also applies to `downloadFrom` and `webhook` but is a separate finding from the initial request validation those advisories cover.
### Summary
Gotenberg's Chromium URL-to-PDF endpoint (`/forms/chromium/convert/url`) has no default protection against HTTP/HTTPS-b
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-14
Published