CVE-2026-27018

Name of the Vulnerable Software and Affected Versions Gotenberg versions prior to 8.29.0

Description Gotenberg, an API for converting document formats, contains a flaw related to URL scheme handling. A previously implemented fix for CVE-2024-21527 could be bypassed by utilizing mixed-case or uppercase URL schemes, such as FILE:///etc/passwd or File:///etc/passwd. The issue stems from a case-sensitive regular expression used in the FilterDeadline function within pkg/gotenberg/filter.go, which does not account for the case-insensitivity of URI schemes as defined in RFC 3986 Section 3.1. This allows attackers to bypass the intended security measures and potentially read arbitrary files from the Gotenberg container. The vulnerability affects both the URL endpoint and HTML conversion processes, including those involving iframes and link tags. The vulnerable code resides in pkg/modules/chromium/chromium.go, pkg/gotenberg/filter.go, and pkg/modules/chromium/events.go. The API endpoint ''/forms/chromium/convert/url'' is affected, utilizing the url parameter.

Recommendations Gotenberg versions prior to 8.29.0 should be updated to version 8.29.0 or later.