EXECUTIVE SUMMARY:
CVE-2026-42594 with a CVSS score of 7.5 is an unauthenticated denial of service vulnerability in the Gotenberg service. The vulnerability is introduced by the webhook middleware, which spawns a goroutine that holds a reference to the request's `echo.Context` after the synchronous handler returns `ErrAsyncProcess` and Echo recycles the context back to its `sync.Pool`. When a concurrent request claims the recycled context, `c.Reset()` clears the store. If the webhook goroutine reaches `hardTimeoutMiddleware` at that moment, an unchecked type assertion on a nil store entry panics outside any `recover()` scope, crashing the Gotenberg process. An attacker can exploit this vulnerability by sending a single-source stress of ~24 webhook requests plus ~60 `GET /version` requests, requiring only anonymous access to the webhook path. This results in a capability to crash the Gotenberg process, resulting in business impact and consequences including service downtime, lost productivity, and potential data loss. Prerequisites for exploitation include access to the webhook path, which is not filtered by the default `webhook-deny-list` configuration.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-42594 with a CVSS score of 7.5 is an unauthenticated denial of service vulnerability in the Gotenberg service. The vulnerability is introduced by the webhook middleware, which spawns a goroutine that holds a reference to the request's `echo.Context` after the synchronous handler returns `ErrAsyncProcess` and Echo recycles the context back to its `sync.Pool`. When a concurrent request claims the recycled context, `c.Reset()` clears the store. If the webhook goroutine reaches `hardTimeoutMiddleware` at that moment, an unchecked type assertion on a nil store entry panics outside any `recover()` scope, crashing the Gotenberg process. An attacker can exploit this vulnerability by sending a single-source stress of ~24 webhook requests plus ~60 `GET /version` requests, requiring only anonymous access to the webhook path. This results in a capability to crash the Gotenberg process, resulting in business impact and consequences including service downtime, lost productivity, and potential data loss. Prerequisites for exploitation include access to the webhook path, which is not filtered by the default `webhook-deny-list` configuration.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update Gotenberg to version 8.32.0 or later.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-r33j-c622-r6qp