EXECUTIVE SUMMARY:
CVE-2026-42595 with a CVSS score of 8.6 is a Server-Side Request Forgery vulnerability in the Gotenberg package, specifically affecting versions prior to 8.32.0. Gotenberg's Chromium URL-to-PDF endpoint, which accepts a URL and fetches it server-side, has no default protection against HTTP/HTTPS-based SSRF. An unauthenticated attacker can point Chromium at any internal IP, including loopback, RFC 1918 ranges, and cloud metadata endpoints, and receive the response rendered as a PDF. Furthermore, even when operators configure a custom deny-list, the protection is bypassed via HTTP redirects, allowing an attacker to exploit the vulnerability. This capability allows an attacker to access internal resources, which can lead to significant business impact and consequences, including unauthorized data access, system compromise, and potential data breaches. Prerequisites for exploitation include no authentication being required on the Chromium URL endpoint.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-42595 with a CVSS score of 8.6 is a Server-Side Request Forgery vulnerability in the Gotenberg package, specifically affecting versions prior to 8.32.0. Gotenberg's Chromium URL-to-PDF endpoint, which accepts a URL and fetches it server-side, has no default protection against HTTP/HTTPS-based SSRF. An unauthenticated attacker can point Chromium at any internal IP, including loopback, RFC 1918 ranges, and cloud metadata endpoints, and receive the response rendered as a PDF. Furthermore, even when operators configure a custom deny-list, the protection is bypassed via HTTP redirects, allowing an attacker to exploit the vulnerability. This capability allows an attacker to access internal resources, which can lead to significant business impact and consequences, including unauthorized data access, system compromise, and potential data breaches. Prerequisites for exploitation include no authentication being required on the Chromium URL endpoint.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-chwh-f6gm-r836