Docker-Powered API for PDF Files Vulnerability in Gotenberg
CVE-2026-42592

5.3MEDIUM

Key Information:

Vendor: Gotenberg
Status: Gotenberg
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-42592?

Gotenberg, a stateless API for PDF file processing, exhibits a vulnerability related to improper DNS resolution before version 8.32.0. The flaw arises when FilterOutboundURL resolves hostnames, checking against a private-address deny-list but failing to securely handle IP addresses. An attacker can exploit this weakness by controlling the DNS for a hostname with a short TTL. This allows the return of a public IP address on the first query, followed by a private IP on subsequent queries. Consequently, when Chromium attempts to connect, it may reach an internal address controlled by the attacker, leading to unauthorized access to private services. This issue has been addressed in version 8.32.0.

Affected Version(s)

gotenberg < 8.32.0

References

https://github.com/gotenberg/gotenberg/security/advisorie...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
Apr 29, 2026

CVE-2026-42592 Data

JSON