cbcvebase.
CVE-2026-45742
published 2026-05-29

CVE-2026-45742: Gotenberg has a Race Condition via Multipart `downloadFrom` Handling ### Summary Gotenberg is vulnerable to a remote denial of service in multipart…

high
Gotenberg has a Race Condition via Multipart `downloadFrom` Handling

### Summary

Gotenberg is vulnerable to a remote denial of service in multipart `downloadFrom` handling.

A multipart request containing multiple `downloadFrom` entries causes concurrent goroutines to write to shared maps without synchronization. This can terminate the process with `fatal error: concurrent map writes`.

In the default configuration, `downloadFrom` is enabled and authentication is disabled, so an exposed instance can be crashed by an unauthenticated remote attacker.

### Details

The issue is in `pkg/modules/api/context.go`.

`newContext` parses multipart requests and processes the `downloadFrom` form field before the route handler runs. For each `downloadFrom` entry, it starts a goroutine via `errgroup.Go()`:

- `pkg/modules/api/context.go:221`

Each goroutine downloads a file and then writes to request context maps shared by all goroutines:

- `ctx.files[filename] = path`
- `ctx.diskToOriginal[path] = filename`
- `ctx.filesByField[...] = append(...)`

Affected lines in current `main`:

- `pkg/modules/api/context.go:395`
- `pkg/modules/api/context.go:396`
- `pkg/modules/api/context.go:401`

Go maps and slices are not safe for concurrent writes. A crafted multipart request with many `downloadFrom` entries can therefore trigger a runtime crash.

The vulnerable `downloadFrom` feature was introduced in commit `f2b6bd3d`. The first tagged release containing this code appears to be `v8.10.0`.

### PoC

The following self-contained command creates a temporary test file, runs the PoC, and removes the file afterwards. It does not require any external network access.

Run from the repository root:

cat > pkg/modules/api/downloadfrom_race_poc_test.go <<'EOF'
//go:build security_poc

package api

import (
"bytes"
"encoding/json"
"fmt"
"log/slog"
"mime/multipart"
"net/http"
"net/http/httptest"
"sync"
"testing"
"time"

"github.com/labstack/echo/v4"

"github.com/gotenberg/gotenberg/v8/pkg/gotenb

Affected

1 ranges
VendorProductVersion rangeFixed in
github.comgotenberg_gotenberg_v8>= 8.10.0 < 8.33.08.33.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.