CVE-2026-42591

Name of the Vulnerable Software and Affected Versions Gotenberg versions 8.31.0 and earlier

Description A Server-Side Request Forgery (SSRF) issue exists in the LibreOffice conversion endpoint "/forms/libreoffice/convert". While some SSRF hardening is present in the Go code, the application passes uploaded documents directly to LibreOffice without inspecting their content. Because LibreOffice is a separate process that manages its own HTTP connections via libcurl, it bypasses the Go-level filters. An attacker can use OOXML formats (such as .docx, .docm, .xlsx, .xlsm, .pptx, .pptm, .odt, .ods, .odp, or .rtf) containing embedded external image references with TargetMode="External" to force the server to make outbound HTTP requests. This can be used to access internal services, retrieve cloud metadata from http://169.254.169.254/, or perform internal network port scanning.

Recommendations Run LibreOffice with unshare --net to remove all network access from the subprocess. Scan uploaded OOXML files for rels/*.rels entries containing TargetMode="External" and validate or strip those URLs before processing the file with LibreOffice.