External risk intelligence

Gotenberg can be tricked into exposing internal services to attackers.

CVE advisorySeverity: CRITICAL (CVSS 9.4)

CVE-2026-42596

Gotenberg's PDF processing API has a critical flaw allowing attackers to trick it into accessing your internal network services. Update immediately to version 8.31.0 to prevent this.

4Halo Surface Signal

Server-Side Request Forgery

Thecodingmachine Gotenberg

before 8.31.0

External exposure likelihood

Halo Surface Signal score for CVE-2026-42596

Gotenberg is an API for document conversion and webhooks, often deployed in environments where it accepts external input via HTTP. Because these services are commonly internet-facing to support webhooks and remote document processing, the attack surface is frequently accessible to external users.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Horizon Alert

Summary of the vulnerability and why it matters

An unauthenticated attacker can trick Gotenberg into accessing internal services by bypassing download and webhook filters. This allows an attacker to force the server to make outbound requests to internal-only targets, potentially exposing sensitive systems.

  • Allows access to internal services.
  • Forces outbound requests.
  • Affects servers processing external input.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this flaw to force Gotenberg to make HTTP requests to internal services. By crafting specific URLs that bypass the default deny-list, an attacker can target internal APIs or databases, potentially leading to data exfiltration or service disruption.

  • Unauthenticated network access.
  • Bypass URL deny-list filter.
  • Target internal HTTP services.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Gotenberg is likely to be weaponized by attackers due to its critical severity and the common use case of the software. The ability for an unauthenticated attacker to bypass deny-lists and force the server to make requests to internal services presents a significant opportunity for data exfiltration or further network compromise. Observed threat intelligence does not yet indicate active exploitation.

  • Bypass of URL filtering
  • Unauthenticated remote code execution possible
  • Fix available in 8.31.0

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize blocking access to Gotenberg instances if they are exposed externally and running a version prior to 8.31.0, as this critical vulnerability allows unauthenticated attackers to bypass URL filters and access internal services. Review logs for evidence of attempted or successful exploitation, specifically looking for unusual outbound connection attempts from the Gotenberg server.

  • Update Gotenberg to version 8.31.0.
  • Isolate affected Gotenberg instances from the network.
  • Monitor network traffic for suspicious outbound requests.

Frequently asked questions

What is Gotenberg and what is it used for?

Gotenberg is a Docker-powered API designed for handling PDF files. It's a stateless service that developers use to convert various document formats into PDFs and to manage document-related tasks programmatically.

How does CVE-2026-42596 allow attackers to bypass security filters?

This vulnerability, identified as CWE-918 (Server-Side Request Forgery), allows attackers to bypass Gotenberg's default deny-lists. The filter's regex-based and case-sensitive nature means attackers can craft URLs, like those targeting loopback addresses, to trick the service into accessing internal systems it's supposed to block.

What are the preconditions for an attacker to exploit this CVE?

An attacker does not need any authentication to exploit this vulnerability. They need to be able to send specially crafted HTTP requests to the affected Gotenberg service. The bug is triggered when the service processes these requests, attempting to download or interact with URLs that bypass the intended security filters.

Who should be concerned about Gotenberg's CVE-2026-42596 vulnerability?

Organizations using Gotenberg instances that are accessible from the internet or handle external input should be concerned. Because Gotenberg is often used for webhooks and processing external documents, there's a significant chance it's internet-facing, increasing the potential exposure to attackers.

What is the first step to respond to this Gotenberg vulnerability?

The immediate first step is to update Gotenberg to version 8.31.0 or later, as this version includes the fix for the vulnerability. If immediate updating is not possible, isolating the affected Gotenberg instances from the network should be considered.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified