CVE-2026-42591
Gotenberg · Gotenberg
Gotenberg is vulnerable to Server-Side Request Forgery (SSRF), allowing unauthenticated attackers to access sensitive information through unauthorized server-side requests.
Executive summary
A critical Server-Side Request Forgery vulnerability in Gotenberg allows unauthenticated attackers to gain unauthorized access to data, necessitating urgent review of security configurations.
Vulnerability
This is a Server-Side Request Forgery (CWE-918) vulnerability. The vulnerability allows an unauthenticated attacker to manipulate the application into performing unauthorized requests, leading to potential information disclosure.
Business impact
With a CVSS score of 8.2 (High), this vulnerability poses a serious risk to data confidentiality. Successful exploitation could allow an attacker to read internal files or interact with internal APIs that the server has access to, potentially compromising the integrity of the broader application environment.
Remediation
Immediate Action: Review the official Gotenberg security advisory for guidance on remediation, as a definitive fixed version may be pending or requires specific configuration changes.
Proactive Monitoring: Review access logs for anomalous request patterns, specifically those attempting to access internal resources or non-public URL schemes.
Compensating Controls: Use network-level access control lists (ACLs) to restrict the Gotenberg service from accessing sensitive internal segments of the network.
Exploitation status
Public Exploit Available: Unknown.
Analyst recommendation
Organizations should treat this vulnerability as high priority. Since a specific patch version remains unclear despite the advisory, monitor the Gotenberg repository for updates and enforce strict network segmentation to limit the potential blast radius of a successful exploit.