Server-Side Request Forgery (SSRF)
CVE-2026-40280
Summary
Gotenberg is an API-based document conversion tool. In versions through 8.30.1, the default private-IP deny-lists for the "--webhook-deny-list" and "--api-download-from-deny-list" flags use a case-sensitive regular expression "^https?://" to match URL schemes. Because Go's "net/url.Parse()" normalizes the scheme to lowercase before establishing the outbound TCP connection, an attacker can bypass the deny-list by simply capitalizing part of the URL scheme (e.g., "HTTP://", "HTTPS://", or "Http://"). This allows unauthenticated requests to reach internal network services, including private IP ranges, loopback addresses, and cloud instance metadata endpoints such as "HTTP://169.254.169.254/latest/meta-data/". This bypasses the same security control that was patched in CVE-2026-27018. This issue has been fixed in version 8.31.0.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- HIGH
- NONE
CWE-918 - Server-Side Request Forgery (SSRF)
Server-side request forgery (SSRF) is a weakness that allows an attacker to send an arbitrary request, making it appear that the request was sent by the server. This request may bypass a firewall that would normally prevent direct access to the URL. The impact of this vulnerability can vary from unauthorized access to files and sensitive information to remote code execution.
References
Advisory Timeline
- Published
