Document Conversion Tool Vulnerability in Gotenberg by Gotenberg
CVE-2026-40280

7.8HIGH

Key Information:

Vendor

Gotenberg

Status
Gotenberg
Vendor
CVE Published:
5 May 2026

What is CVE-2026-40280?

Gotenberg, an API-based document conversion tool, has a vulnerability due to the use of case-sensitive regular expressions in its deny-list settings. In versions up to 8.30.1, attackers can exploit this by capitalizing parts of the URL scheme (e.g., HTTP://) to bypass the deny-lists for --webhook-deny-list and --api-download-from-deny-list. This flaw enables unauthorized access to internal services and private IP ranges, posing a risk to cloud metadata and loopback addresses. The issue has been remedied in version 8.31.0, ensuring enhanced security.

Affected Version(s)

gotenberg <= 8.30.1

References

https://github.com/gotenberg/gotenberg/security/advisorie...
x_refsource_CONFIRM
https://github.com/gotenberg/gotenberg/commit/3f01ca18d3c...
x_refsource_MISC
https://github.com/advisories/GHSA-jjwv-57xh-xr6r
x_refsource_MISC

CVSS V4

Score:
7.8
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.