Regex-Based Bypass Vulnerability in Gotenberg PDF API by Gotenberg
CVE-2026-42596

9.4CRITICAL

Key Information:

Vendor: Gotenberg
Status: Gotenberg
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-42596?

The Gotenberg PDF API, a Docker-powered tool for handling PDF files, has a vulnerability that allows attackers to bypass the default deny-lists in its downloadFrom and webhook features. This flaw occurs due to the regex-based and case-sensitive nature of the filter, enabling unauthenticated users to craft malicious URLs targeting internal loopback or private HTTP services that should have been protected. As a result, an external actor can make the server perform outbound requests to internal resources, thereby breaching otherwise secured boundaries. This issue was resolved in version 8.31.0.

Affected Version(s)

gotenberg < 8.31.0

References

https://github.com/gotenberg/gotenberg/security/advisorie...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
Apr 29, 2026

CVE-2026-42596 Data

JSON