Concurrency Issue in Gotenberg API for PDF File Processing
CVE-2026-42594

7.5HIGH

Key Information:

Vendor: Gotenberg
Status: Gotenberg
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-42594?

A concurrency issue in the Gotenberg API prior to version 8.32.0 can lead to process crashes due to improper handling of recycled context during concurrent requests. When the webhook middleware spawns a goroutine that retains a reference to the request's context after the main handler has already returned an error, it creates a situation where the context may be cleared by another request. This can cause panics when the webhook goroutine attempts to access a nil store entry, resulting in unexpected crashes. This vulnerability is particularly concerning as it can be triggered by anonymous callers with a high volume of requests, thus affecting the stability of the Gotenberg API. Users are advised to upgrade to version 8.32.0 or later to mitigate this issue.

Affected Version(s)

gotenberg < 8.32.0

References

https://github.com/gotenberg/gotenberg/security/advisorie...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
Apr 29, 2026

CVE-2026-42594 Data

JSON