PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42594 Thecodingmachine CVE debrief

A race condition in Gotenberg's webhook middleware allows unauthenticated remote attackers to crash the service. The vulnerability stems from improper handling of Echo's context lifecycle: after a synchronous handler returns ErrAsyncProcess, the webhook middleware spawns a goroutine that retains a reference to the request's echo.Context. Echo recycles this context to its sync.Pool, and when a concurrent request claims the recycled context, c.Reset() clears the store. If the webhook goroutine reaches hardTimeoutMiddleware at this moment, an unchecked type assertion on a nil store entry causes a panic outside any recover() scope, terminating the Gotenberg process. The default webhook-deny-list only filters webhook destinations, not submitters, leaving the endpoint exposed to any anonymous caller. A stress test of approximately 24 webhook requests combined with ~60 GET /version requests crashes the process in roughly two seconds. This vulnerability affects all versions prior to 8.32.0 and was fixed in that release.

Vendor
Thecodingmachine
Product
Gotenberg
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-14
Original CVE updated
2026-05-18
Advisory published
2026-05-14
Advisory updated
2026-05-18

Who should care

Organizations running Gotenberg PDF conversion services, particularly those exposing webhook endpoints to untrusted networks or the public internet. DevOps teams managing containerized document processing pipelines. Security teams monitoring for denial-of-service conditions in API infrastructure.

Technical summary

The vulnerability exists in Gotenberg's webhook middleware implementation. When processing asynchronous webhooks, the middleware spawns a goroutine that continues to reference the request's echo.Context after the synchronous handler returns ErrAsyncProcess. The Echo web framework recycles contexts via sync.Pool for performance. When a concurrent request obtains the recycled context and c.Reset() is called, the store is cleared. The webhook goroutine may then reach hardTimeoutMiddleware and perform an unchecked type assertion on a store entry that is now nil, causing an unrecoverable panic. The crash occurs outside any defer/recover scope, resulting in full process termination. The default configuration does not authenticate or restrict webhook submitters, only filtering webhook destination URLs. Exploitation requires no authentication and can be achieved with moderate request volume to trigger the race condition reliably.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade to Gotenberg 8.32.0 or later to eliminate the race condition in webhook middleware context handling
  • If immediate patching is not feasible, restrict network access to the Gotenberg webhook endpoint to trusted sources only
  • Monitor Gotenberg process logs for unexpected panics or crashes that may indicate exploitation attempts
  • Review webhook-deny-list configuration to ensure it provides appropriate restrictions for your deployment context
  • Consider implementing rate limiting on webhook submission endpoints to reduce the likelihood of successful race condition triggering

Evidence notes

The vulnerability description is sourced from the official CVE record published 2026-05-14 and modified 2026-05-18. The GitHub Security Advisory (GHSA-r33j-c622-r6qp) is tagged as Exploit, Mitigation, and Vendor Advisory. CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H confirms network accessibility with low attack complexity, no privileges required, and high availability impact. CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) is identified as the weakness type.

Official resources

2026-05-14