CVE-2026-42596

Name of the Vulnerable Software and Affected Versions Gotenberg versions prior to 8.31.0

Description An unauthenticated attacker can bypass the default deny-lists used by the downloadFrom and webhook features. The issue occurs because the filtering logic uses case-sensitive regular expressions that only block lowercase http:// and https:// prefixes. Consequently, an attacker can use alternative textual representations of loopback or private addresses, such as IPv4-mapped IPv6 addresses (e.g., http://[::ffff:127.0.0.1]:...), to force the server to make outbound requests to internal-only targets. This allows for Server-Side Request Forgery (SSRF), potentially exposing internal HTTP services, cloud metadata endpoints, and local admin APIs.

Recommendations Update to version 8.31.0. As a temporary workaround, restrict access to the downloadFrom and webhook features to minimize the risk of exploitation.