CVE-2026-42593

Name of the Vulnerable Software and Affected Versions Gotenberg versions prior to 8.32.0

Description Six API endpoints ('/pdfengines/merge', '/pdfengines/split', '/libreoffice/convert', '/chromium/convert/url', '/chromium/convert/html', and '/chromium/convert/markdown') allow anonymous callers to read PDF files from the container filesystem. The issue occurs because these endpoints do not properly validate the stampExpression and watermarkExpression variables when no file is uploaded, but the stampSource or watermarkSource variables are set to 'pdf'. This allows an attacker to specify an arbitrary file path, which is then processed by the pdfcpu tool and returned to the caller as a composite PDF. This can be used to access sensitive PDF documents that the Gotenberg process has permissions to read, including those in bind-mounted host directories.

Recommendations Update to version 8.32.0. As a temporary workaround, restrict access to the affected API endpoints to trusted users only.