CVE-2026-42595
Gotenberg · Gotenberg
Gotenberg is vulnerable to Server-Side Request Forgery (SSRF), allowing unauthenticated attackers to perform unauthorized requests from the server.
Executive summary
A critical Server-Side Request Forgery vulnerability in Gotenberg allows unauthenticated attackers to perform unauthorized requests, posing a significant risk to internal network security.
Vulnerability
This is a Server-Side Request Forgery (CWE-918) vulnerability. The application fails to properly validate user-supplied input, allowing unauthenticated remote attackers to force the server to make unauthorized requests to internal or external resources.
Business impact
The CVSS score of 8.6 (High) reflects the potential for severe impact, including the exfiltration of sensitive internal data or interaction with internal services that are not exposed to the internet. Because the vulnerability is automatable and requires no authentication, it presents a high risk of large-scale exploitation against exposed instances, potentially leading to significant data breaches or unauthorized access to internal infrastructure.
Remediation
Immediate Action: Upgrade to Gotenberg version 8.32.0 or later immediately to apply the vendor-supplied fix.
Proactive Monitoring: Monitor network egress logs for unusual traffic patterns originating from the Gotenberg container, particularly requests directed toward internal IP addresses or sensitive local services.
Compensating Controls: Deploy or update Web Application Firewall (WAF) rules to inspect and block suspicious outbound requests or malformed payloads targeting API endpoints.
Exploitation status
Public Exploit Available: Unknown.
Analyst recommendation
Given the high severity and the existence of a proof-of-concept, organizations should prioritize patching Gotenberg to version 8.32.0. Failure to address this vulnerability increases the risk of unauthorized access to internal systems; applying the update is the only effective way to neutralize the underlying flaw.