CVE-2026-40893
Gotenberg · Gotenberg
Gotenberg is susceptible to path traversal and improper input validation, allowing external control over file paths used by the API.
Executive summary
An unauthenticated vulnerability in the Gotenberg API allows for arbitrary file path manipulation, posing a significant risk to system security.
Vulnerability
This vulnerability (CWE-73, CWE-184) stems from the external control of file names or paths and incomplete input validation. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates the vulnerability is fully automatable and does not require authentication.
Business impact
Successful exploitation allows an attacker to manipulate file paths, which could lead to unauthorized file access, overwriting critical system files, or information disclosure. With a CVSS score of 8.2, the potential for unauthorized API usage in an enterprise environment is substantial.
Remediation
Immediate Action: Upgrade to the latest version of the Gotenberg API. If a specific patch version is not yet available, restrict API access at the network level.
Proactive Monitoring: Monitor API access logs for anomalous file path requests or attempts to traverse directories outside of intended working folders.
Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to block path traversal sequences (e.g., ../) in API input parameters.
Exploitation status
Public Exploit Available: Unknown.
Analyst recommendation
The presence of a proof-of-concept elevates the risk profile for this vulnerability. Administrators should immediately evaluate the exposure of their Gotenberg instances and apply security updates or implement strict WAF filtering to prevent exploitation.