SB2026040871 - Multiple vulnerabilities in gotenberg



SB2026040871 - Multiple vulnerabilities in gotenberg

Published: April 8, 2026 Updated: May 5, 2026

Security Bulletin ID SB2026040871
CSH Severity
High
Patch available
YES
Number of vulnerabilities 13
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 62% Medium 38%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 13 vulnerabilities.


1) Inefficient regular expression complexity (CVE-ID: CVE-2026-35458)

CWE-ID: CWE-1333 - Inefficient Regular Expression Complexity

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to inefficient regular expression complexity in the extraHttpHeaders scope pattern handling in gotenberg/pkg/modules/chromium/routes.go when processing user-supplied scope patterns. A remote attacker can send a specially crafted request containing a malicious scope pattern to cause a denial of service.

Exploitation can hang a worker indefinitely through catastrophic backtracking, and affects instances where the attacker can reach the /forms/chromium/screenshot/url endpoint and specify the extraHttpHeaders field.


2) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-39383)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to force the server to send HTTP POST requests to internal or external destinations and probe internal network services.

The vulnerability exists due to server-side request forgery in the webhook URL handling logic when processing the Gotenberg-Webhook-Url request header. A remote attacker can supply a crafted webhook URL to force the server to send HTTP POST requests to internal or external destinations and probe internal network services.

This is a blind SSRF because the response body from the target is not returned to the requester, and the client may automatically retry the outbound request up to four times.


3) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-42591)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to server-side request forgery in the LibreOffice conversion endpoint when processing uploaded documents with embedded external URLs. A remote attacker can upload a specially crafted document to disclose sensitive information.

LibreOffice fetches embedded external references during document conversion, bypassing the SSRF hardening implemented for Go-handled outbound requests.


4) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2026-42592)

CWE-ID: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information from internal services.

The vulnerability exists due to a time-of-check time-of-use race condition in Chromium URL conversion routes when processing attacker-supplied URLs with DNS resolution performed multiple times. A remote attacker can supply a hostname under attacker-controlled DNS that rebinds from a public IP to a private IP to disclose sensitive information from internal services.

The issue can expose responses from loopback-bound services, cloud metadata endpoints, and other private-network addresses through returned PDF output.


5) Path traversal (CVE-ID: CVE-2026-42593)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to path traversal in stampExpression and watermarkExpression handling in the merge, split, and convert routes when processing requests with pdf stamp or watermark sources without an uploaded file. A remote attacker can send a specially crafted request with a filesystem path to disclose sensitive information.

In affected deployments, the issue can expose PDF files readable by the Gotenberg process, and non-PDF targets may act as a file-existence oracle.


6) Resource exhaustion (CVE-ID: CVE-2026-42594)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper resource management in echo.Context pool reuse when handling webhook requests asynchronously in a goroutine. A remote attacker can send a specially crafted request to cause a denial of service.


7) Improper access control (CVE-ID: CVE-2026-42597)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in chromium URL conversion routes when processing file:// URLs. A remote attacker can supply a crafted file:// URL to disclose sensitive information.

The issue can expose arbitrary files located under /tmp.


8) Incomplete List of Disallowed Inputs (CVE-ID: CVE-2026-42590)

CWE-ID: CWE-184 - Incomplete List of Disallowed Inputs

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to modify files on the server.

The vulnerability exists due to incomplete list of disallowed inputs in pkg/modules/exiftool/exiftool.go when processing metadata write requests. A remote attacker can send specially crafted metadata keys using ExifTool group-prefix syntax to modify files on the server.

In deployments with mounted volumes or non-containerized setups, exploitation may enable arbitrary file read via symlink chaining and file overwrite via directory manipulation.


9) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-42596)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to perform server-side request forgery against internal HTTP services.

The vulnerability exists due to insufficient request destination validation in the downloadFrom and webhook features when processing attacker-supplied URLs. A remote attacker can supply a specially crafted URL to perform server-side request forgery against internal HTTP services.

The default deny-list is regex-based and case-sensitive, and can be bypassed using alternate address representations such as IPv4-mapped IPv6 loopback addresses.


10) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-42595)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to disclose sensitive information from internal network resources.

The vulnerability exists due to server-side request forgery in the Chromium URL conversion endpoint when processing user-supplied URLs and following redirects. A remote attacker can submit a crafted URL to make the server fetch internal HTTP or HTTPS resources and disclose sensitive information from internal network resources.

The issue affects the /forms/chromium/convert/url endpoint, and redirects to internal destinations are followed without re-validating the redirect target.


11) OS Command Injection (CVE-ID: CVE-2026-42589)

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper neutralization of special elements used in an os command in the /forms/pdfengines/metadata/write endpoint when processing JSON metadata keys. A remote attacker can send a specially crafted HTTP request with a metadata key containing embedded newline characters to execute arbitrary code.

The issue occurs because newline characters in a JSON metadata key are forwarded to ExifTool and can inject additional flags such as -if, which evaluates Perl expressions.


12) Input validation error (CVE-ID: CVE-2026-40893)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to rename or move files and cause a denial of service.

The vulnerability exists due to improper input validation in the ExifTool metadata tag filtering logic when handling metadata fields in HTTP requests. A remote attacker can send a specially crafted request with group-prefixed tag names to rename or move files and cause a denial of service.

Every endpoint that accepts the metadata field is affected, and ExifTool treats group-prefixed tag names such as System:FileName and System:Directory as equivalent to the blocked bare tag names.


13) Input validation error (CVE-ID: N/A)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to modify file permissions.

The vulnerability exists due to improper input validation in the ExifTool metadata tag blocklist when handling metadata fields in HTTP requests. A remote attacker can send a specially crafted request using the FilePermissions tag to modify file permissions.

The FilePermissions tag is not included in the dangerous tag blocklist.


Remediation

Install update from vendor's website.