CVE-2026-42595

Name of the Vulnerable Software and Affected Versions Gotenberg versions prior to 8.32.0

Description Gotenberg is a Docker-powered stateless API for PDF files. The Chromium URL-to-PDF endpoint '/forms/chromium/convert/url' lacks default protection against Server-Side Request Forgery (SSRF) for HTTP and HTTPS requests, as the default deny-list only blocks file:// URIs. This allows an unauthenticated attacker to direct Chromium to internal IP addresses, including loopback, RFC 1918 ranges, and cloud metadata endpoints, receiving the response rendered as a PDF. Additionally, the downloadFrom and webhook endpoints are also affected by a redirect-based bypass. Even when a custom deny-list is configured, the Chromium instance and other endpoints follow HTTP 302 redirects from attacker-controlled external URLs to internal targets without re-validating the destination against the deny-list.

Recommendations Update to version 8.32.0. As a temporary workaround, restrict access to the '/forms/chromium/convert/url' endpoint to minimize the risk of exploitation.