Server-Side Request Forgery (SSRF) in gotenberg - CVE-2026-42596
Published: May 5, 2026
gotenberg
Detailed vulnerability description
The vulnerability allows a remote attacker to perform server-side request forgery against internal HTTP services.
The vulnerability exists due to insufficient request destination validation in the downloadFrom and webhook features when processing attacker-supplied URLs. A remote attacker can supply a specially crafted URL to perform server-side request forgery against internal HTTP services.
The default deny-list is regex-based and case-sensitive, and can be bypassed using alternate address representations such as IPv4-mapped IPv6 loopback addresses.