CVE-2026-42594

Name of the Vulnerable Software and Affected Versions Gotenberg versions prior to 8.32.0

Description A flaw in the webhook middleware allows an anonymous caller to crash the process. The middleware spawns a goroutine that retains a reference to the echo.Context after the synchronous handler returns ErrAsyncProcess and the context is recycled back to the sync.Pool. If a concurrent request claims this recycled context and calls c.Reset(), the store is cleared. When the webhook goroutine subsequently reaches the hardTimeoutMiddleware function, an unchecked type assertion on a nil store entry for the logger variable causes a panic outside of any recover() scope, leading to a process crash. This can be triggered by a stress of approximately 24 webhook requests and 60 GET /version requests.

Recommendations Update to version 8.32.0. As a temporary workaround, restrict access to the webhook path to authorized users only to minimize the risk of exploitation.