CVE-2026-40280

Name of the Vulnerable Software and Affected Versions Gotenberg versions 8.30.1 and earlier

Description Gotenberg is an API-based document conversion tool. The default private-IP deny-lists for the --webhook-deny-list and --api-download-from-deny-list flags use a case-sensitive regular expression to match URL schemes. Because the net/url.Parse() function normalizes the scheme to lowercase before establishing an outbound TCP connection, an attacker can bypass the deny-list by capitalizing part of the URL scheme (e.g., HTTP://, HTTPS://, or Http://). This allows unauthenticated requests to reach internal network services, including private IP ranges, loopback addresses, and cloud instance metadata endpoints. The issue involves the FilterDeadline() function and specific logic within pkg/modules/webhook/webhook.go and pkg/modules/api/api.go.

Recommendations Update Gotenberg to version 8.31.0.