Server-Side Request Forgery (SSRF) in gotenberg - CVE-2026-39383
Published: May 5, 2026
Vulnerability identifier: #VU129632
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-39383
CWE-ID: CWE-918
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: thecodingmachine
Affected software:
gotenberg
gotenberg
Detailed vulnerability description
The vulnerability allows a remote attacker to force the server to send HTTP POST requests to internal or external destinations and probe internal network services.
The vulnerability exists due to server-side request forgery in the webhook URL handling logic when processing the Gotenberg-Webhook-Url request header. A remote attacker can supply a crafted webhook URL to force the server to send HTTP POST requests to internal or external destinations and probe internal network services.
This is a blind SSRF because the response body from the target is not returned to the requester, and the client may automatically retry the outbound request up to four times.
How to mitigate CVE-2026-39383
Install security update from vendor's website.