PatchSiren cyber security CVE debrief
CVE-2026-42597 Thecodingmachine CVE debrief
Gotenberg versions prior to 8.32.0 contain a path traversal vulnerability in the URL-based conversion and screenshot routes. The `/forms/chromium/convert/url` and `/forms/chromium/screenshot/url` endpoints accept `url=file:///tmp/...` from unauthenticated callers. While Gotenberg's default Chromium deny-list intentionally exempts `file:///tmp/` to support HTML/Markdown routes loading request-local assets, those routes implement a per-request `AllowedFilePrefixes` guard to scope file access. The URL routes never set this guard, causing the scope check to silently skip. An attacker can enumerate `/tmp/`, traverse Gotenberg's per-request working directories, and read raw source files from other in-flight conversions as rendered PDF output. This represents an information disclosure vulnerability where temporary files from concurrent conversion requests become exposed. The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) reflects network accessibility with high attack complexity due to the timing-dependent nature of accessing in-flight request directories. The vulnerability was published on 2026-05-14 and last modified on 2026-05-18. No known exploitation in ransomware campaigns has been documented.
- Vendor
- Thecodingmachine
- Product
- Gotenberg
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-14
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-14
- Advisory updated
- 2026-05-18
Who should care
Organizations running Gotenberg PDF conversion services, particularly those exposing instances to untrusted networks or processing sensitive documents from multiple concurrent users
Technical summary
The vulnerability exists in Gotenberg's URL-based Chromium routes where the `AllowedFilePrefixes` guard is never initialized. When a request specifies `url=file:///tmp/...`, the scope check skips due to nil configuration, allowing access to any file in `/tmp/` including other requests' working directories. The HTML/Markdown routes correctly set this guard to restrict access to request-local assets only. The fix in 8.32.0 ensures proper scoping for URL routes.
Defensive priority
medium
Recommended defensive actions
- Upgrade Gotenberg to version 8.32.0 or later to obtain the fix for CVE-2026-42597
- If immediate patching is not feasible, restrict network access to Gotenberg instances to trusted clients only
- Monitor Gotenberg access logs for requests containing url=file:///tmp/ patterns that may indicate exploitation attempts
- Review temporary file handling practices if running customized Gotenberg deployments with modified Chromium policies
- Assess whether any sensitive data was processed through affected Gotenberg instances during the exposure window
Evidence notes
Vulnerability description derived from NVD record and GitHub Security Advisory GHSA-g924-cjx7-2rjw. Affected versions confirmed as all versions prior to 8.32.0 per CPE criteria. CVSS vector and score sourced from NVD. CWE-73 (External Control of File Name or Path) and CWE-918 (Server-Side Request Forgery) identified as applicable weakness enumerations.
Official resources
-
CVE-2026-42597 CVE record
CVE.org
-
CVE-2026-42597 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Mitigation, Vendor Advisory
2026-05-14