Server-Side Request Forgery in Gotenberg PDF API
CVE-2026-42591

8.2HIGH

Key Information:

Vendor: Gotenberg
Status: Gotenberg
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-42591?

The Gotenberg PDF API, designed to facilitate PDF file manipulation, suffers from a server-side request forgery vulnerability. Prior to version 8.32.0, the API’s LibreOffice conversion endpoint directly processes uploaded documents without adequate content validation. This flaw allows LibreOffice to autonomously retrieve external URLs embedded within these documents, circumventing server-side request forgery protection mechanisms. The issue has been addressed in version 8.32.0, emphasizing the necessity for users to update their installations to mitigate this risk.

Affected Version(s)

gotenberg < 8.32.0

References

https://github.com/gotenberg/gotenberg/security/advisorie...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
Apr 29, 2026

CVE-2026-42591 Data

JSON