Blind SSRF and Local File Disclosure Vulnerability in Gotenberg by StatsRoy
CVE-2026-55229

7.5HIGH

Key Information:

Vendor

Gotenberg

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-55229?

Gotenberg, a Docker-based API designed for PDF document processing, incorporates a critical vulnerability in versions prior to 8.34.0. This flaw exists in the /forms/libreoffice/convert endpoint, allowing attackers to craft malicious documents that trigger external HTTP(S) requests and access local file resources during the document conversion process. This could lead to unauthorized resource retrieval and limited local file disclosure, posing significant security risks. Users are advised to update to version 8.34.0 or later to mitigate these vulnerabilities.

Affected Version(s)

gotenberg < 8.34.0

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.