Blind Server-Side Request Forgery in Gotenberg Document Conversion Tool
CVE-2026-39383

6.9MEDIUM

Key Information:

Vendor: Gotenberg
Status: Gotenberg
Vendor: CVE Published:; 5 May 2026

What is CVE-2026-39383?

Gotenberg, an API-based document conversion tool, is compromised by a blind server-side request forgery (SSRF) vulnerability. In version 8.29.1, unauthenticated attackers with network access can exploit the Gotenberg-Webhook-Url request header to direct the server to perform outbound HTTP POST requests to arbitrary URLs. The default configuration leaves the FilterDeadline function unguarded, allowing unrestricted URL access, thereby exposing internal network infrastructure to probing and unauthorized POST requests. This vulnerability can be particularly detrimental as it enables attackers to check for reachability of sensitive endpoints without ever receiving response content, amplifying the danger via repeated automatic retries. Users are urged to upgrade to version 8.31.0 or configure webhook URL restrictions to safeguard against this serious issue.

Affected Version(s)

gotenberg < 8.31.0

References

https://github.com/gotenberg/gotenberg/security/advisorie...

x_refsource_CONFIRM

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-39383 Data

JSON