CVE-2026-42597

Name of the Vulnerable Software and Affected Versions Gotenberg versions prior to 8.32.0

Description Anonymous callers can access the '/forms/chromium/convert/url' and '/forms/chromium/screenshot/url' endpoints using the url parameter with the file:///tmp/ scheme. While a deny-list exists to prevent arbitrary file access, it intentionally exempts the /tmp/ directory to allow certain routes to load local assets. However, the URL routes fail to implement the AllowedFilePrefixes guard, which is intended to scope these reads. This allows an attacker to enumerate the /tmp/ directory and read raw source files of other concurrent conversion requests, such as uploaded HTML, Markdown, or Office documents, which are then returned as rendered PDF output. This can lead to cross-tenant document exfiltration in multi-tenant deployments.

Recommendations Update to version 8.32.0. As a temporary workaround, restrict access to the '/forms/chromium/convert/url' and '/forms/chromium/screenshot/url' endpoints to trusted users only.