CVE-2026-39383

Name of the Vulnerable Software and Affected Versions Gotenberg versions 8.29.1 through 8.30.x

Description An unauthenticated attacker with network access can force the server to make outbound HTTP POST requests to arbitrary internal or external destinations. This is achieved by supplying a crafted URL in the Gotenberg-Webhook-Url request header. The issue stems from the FilterDeadline() function in filter.go, which is intended to gate outbound URLs but returns nil unconditionally when both the allow-list and deny-list are empty (the default configuration), thereby permitting any URL.

This is a blind Server-Side Request Forgery (SSRF), meaning the server does not return the target's response body to the attacker. However, an attacker can probe internal network infrastructure by observing whether the error callback is invoked, force POST requests against internal services that perform side effects, and confirm the reachability of cloud metadata endpoints. The impact is amplified by a retryable HTTP client that issues up to 4 automatic retries per request.

Recommendations Update to version 8.31.0. As a temporary workaround, configure the GOTENBERG API WEBHOOK ALLOW LIST environment variable to restrict webhook URLs to known receivers. As a temporary workaround, set GOTENBERG API WEBHOOK DENY LIST to block RFC-1918 and link-local address ranges.