CVEFinder.io

CVE-2026-42592

🔶 medium
🔍 Scan for this CVE
Summary

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, FilterOutboundURL resolves the hostname, checks the resolved IPs against the private-address deny-list, and returns only the error. It discards the resolved addresses. Chromium later performs its own DNS resolution when it navigates to the URL. An attacker who controls DNS for a hostname with a short TTL returns a public IP on the first query (Gotenberg allows) and a private IP on the second query (Chromium connects to t

Description

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, FilterOutboundURL resolves the hostname, checks the resolved IPs against the private-address deny-list, and returns only the error. It discards the resolved addresses. Chromium later performs its own DNS resolution when it navigates to the URL. An attacker who controls DNS for a hostname with a short TTL returns a public IP on the first query (Gotenberg allows) and a private IP on the second query (Chromium connects to the attacker-chosen internal address). The CDP Fetch.requestPaused handler re-checks the URL but runs its own DNS resolution, leaving a timing window before Chromium's actual TCP connect. The rendered internal service response returns to the caller as a PDF. This vulnerability is fixed in 8.32.0.

CVSS Score
5.3
Medium
EPSS Score
0.0
Exploit Probability
Published Date
2026-05-14
First Seen: 2026-05-17
📊 Relative Risk Intelligence

This CVE is Lower Risk - more severe than 19.7% of all 328,009 vulnerabilities in our database.

#263,349
Below average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: May 14, 2026
🔍 Exploitation Status
Poc
Proof-of-concept available
⚙️ Automatable
YES
Can be exploited automatically
💥 Technical Impact
Partial
Limited system impact
SSVC data provided by CISA
Last Modified 2026-05-18
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE IDs (Weakness Types)
CWE-367 CWE-918

📦 Affected Products 1

Vendor Product Status Affected Versions
thecodingmachine gotenberg Affected
< 8.32.0

🔗 References 1

https://github.com/gotenberg/gotenberg/security/advi...
Exploit Mitigation Vendor Advisory

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-40893 ⚠️ high 8.2 0.2 Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg only checks if the tag is exactly ... 2026-05-14
CVE-2026-42589 ⛔ critical 9.8 0.1 Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg's /forms/pdfengines/metadata/write... 2026-05-14
CVE-2026-42590 ⚠️ high 8.2 0.1 Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.30.0, The ExifTool metadata write blocklist in Got... 2026-05-14
CVE-2026-42591 ⚠️ high 8.2 0.0 Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the LibreOffice conversion endpoint (/forms/... 2026-05-14
CVE-2026-42593 🔶 medium 5.3 0.1 Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, pdfengines/merge, pdfengines/split, libreoff... 2026-05-14
CVE-2026-42594 ⚠️ high 7.5 0.0 Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the webhook middleware spawns a goroutine th... 2026-05-14
These CVEs affect the same products