PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42595 gotenberg CVE debrief

CVE-2026-42595 documents a server-side request forgery (SSRF) vulnerability in Gotenberg, a Docker-powered stateless API for PDF generation. The vulnerability affects versions prior to 8.32.0 and was published on May 14, 2026, with a subsequent modification on May 18, 2026. The issue resides in the Chromium URL-to-PDF endpoint (/forms/chromium/convert/url), which by default lacks protection against HTTP/HTTPS-based SSRF attacks. The default deny-list regex only blocks file:// URIs, leaving internal IP addresses—including loopback, RFC 1918 ranges, and cloud metadata endpoints—accessible to unauthenticated attackers. Additionally, even when operators configure custom deny-lists, the protection can be bypassed through HTTP 302 redirects; Gotenberg's Chromium instance follows redirects from attacker-controlled external URLs to internal targets without re-validating the redirect destination against the deny-list. The vulnerability is rated HIGH severity with a CVSS score of 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N). The weakness is classified as CWE-918 (Server-Side Request Forgery).

Vendor
gotenberg
Product
Unknown
CVSS
HIGH 8.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-14
Original CVE updated
2026-05-18
Advisory published
2026-05-14
Advisory updated
2026-05-18

Who should care

Organizations running Gotenberg versions prior to 8.32.0 for document conversion services, particularly those deployed in cloud environments with accessible metadata endpoints or internal service meshes. Security teams responsible for containerized API security and SSRF prevention should prioritize this vulnerability.

Technical summary

The Gotenberg API's Chromium-based URL-to-PDF conversion endpoint fails to restrict HTTP/HTTPS requests to internal resources by default. The default deny-list only blocks file:// schemes, permitting unauthenticated attackers to probe internal networks. Furthermore, HTTP redirect handling does not re-apply deny-list validation, enabling bypass of custom restrictions through attacker-controlled redirect chains.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade Gotenberg to version 8.32.0 or later to address the SSRF vulnerability.
  • If immediate patching is not feasible, restrict network access to the Gotenberg service to trusted sources only.
  • Implement network-level controls to prevent the Gotenberg container from reaching internal IP ranges, cloud metadata endpoints (such as 169.254.169.254), and loopback addresses.
  • Review and strengthen deny-list configurations, keeping in mind that redirect-based bypasses may still pose risks in unpatched versions.
  • Monitor for suspicious requests to the /forms/chromium/convert/url endpoint, particularly those targeting internal IP addresses or exhibiting redirect chains.
  • Consider deploying Gotenberg in an isolated network segment with egress filtering to limit potential SSRF impact.

Evidence notes

The vulnerability description and technical details are sourced from the official CVE record and NVD entry. The CVSS vector and CWE classification are derived from NVD metadata. The affected version range and fix version are confirmed through CPE criteria in the NVD record.

Official resources

The vulnerability was disclosed through GitHub Security Advisories and subsequently analyzed by NVD. The vendor has acknowledged the issue and released a fix.