PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42591 gotenberg CVE debrief

Gotenberg versions prior to 8.32.0 contain a server-side request forgery (SSRF) vulnerability in the LibreOffice conversion endpoint. The `/forms/libreoffice/convert` endpoint accepts document uploads and passes them directly to LibreOffice without content inspection. LibreOffice then independently fetches any embedded external URLs, bypassing Gotenberg's SSRF filters entirely. This allows attackers to induce unauthorized outbound requests from the server by embedding malicious URLs in documents submitted for conversion. The vulnerability is classified as CWE-918 (Server-Side Request Forgery). The issue was published on 2026-05-14 and last modified on 2026-05-18. No known exploitation in ransomware campaigns has been reported.

Vendor
gotenberg
Product
Unknown
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-14
Original CVE updated
2026-05-18
Advisory published
2026-05-14
Advisory updated
2026-05-18

Who should care

Organizations running Gotenberg PDF conversion services, particularly those exposed to untrusted user input or operating in multi-tenant environments. Security teams responsible for containerized document processing pipelines and API security. DevOps engineers managing Gotenberg deployments who need to assess patch urgency and implement compensating controls.

Technical summary

The Gotenberg PDF conversion service exposes a LibreOffice conversion endpoint that insufficiently validates uploaded documents. When documents containing embedded external URLs are submitted, LibreOffice processes these URLs independently of Gotenberg's security controls. This architectural bypass enables SSRF attacks where attackers can coerce the server into making requests to arbitrary internal or external destinations. The vulnerability stems from a trust boundary violation where document content is passed to an external processor (LibreOffice) without sanitization or network isolation. The fix in version 8.32.0 presumably implements content inspection or network-level restrictions to prevent this bypass.

Defensive priority

high

Recommended defensive actions

  • Upgrade Gotenberg to version 8.32.0 or later to remediate this vulnerability
  • If immediate patching is not feasible, restrict network egress from Gotenberg containers to prevent unauthorized outbound requests
  • Implement additional network segmentation to limit the impact of potential SSRF exploitation
  • Monitor conversion endpoint access logs for anomalous document submission patterns
  • Review and validate any custom SSRF filtering implementations, as LibreOffice's independent URL fetching bypasses application-layer controls

Evidence notes

The vulnerability description is sourced from the official CVE record and NVD entry. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) confirms network accessibility with low attack complexity, no required privileges or user interaction, and high confidentiality impact with low integrity impact. The affected version range is confirmed as all versions prior to 8.32.0 based on CPE criteria from NVD.

Official resources

The vulnerability was disclosed through GitHub Security Advisories and subsequently published in the NVD. The vendor has acknowledged the issue and released a patched version.