Remote File Access Vulnerability in Gotenberg PDF API
CVE-2026-42597

5.9MEDIUM

Key Information:

Vendor: Gotenberg
Status: Gotenberg
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-42597?

An access control vulnerability in Gotenberg allows unauthorized users to exploit specific routes in the API. Prior to version 8.32.0, the /forms/chromium/convert/url and /forms/chromium/screenshot/url endpoints accepted 'file:///tmp/...' URLs from unauthenticated users. This issue arises because the default Chromium deny-list exemption for 'file:///tmp/' permits loading local assets, yet the corresponding routes lack an 'AllowedFilePrefixes' guard. This oversight lets attackers enumerate and access raw source files from other ongoing conversions, posing significant security risks.

Affected Version(s)

gotenberg < 8.32.0

References

https://github.com/gotenberg/gotenberg/security/advisorie...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
Apr 29, 2026

CVE-2026-42597 Data

JSON