CVE-2026-27018
URL Scheme Bypass Vulnerability in Gotenberg API Document Converter
Publication date: 2026-03-30
Last updated on: 2026-04-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| thecodingmachine | gotenberg | to 8.29.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-27018 is a high-severity vulnerability in Gotenberg that allows unauthenticated arbitrary file reads from the container. This can expose sensitive local files such as environment variables, configuration files, credentials, and other sensitive data.
Exposure of such sensitive data could lead to violations of data protection regulations and standards like GDPR and HIPAA, which require strict controls over personal and sensitive information. Unauthorized access to confidential files may result in non-compliance due to data breaches or improper handling of protected information.
Therefore, this vulnerability poses a significant risk to compliance with common standards and regulations by potentially exposing sensitive data that must be protected under these frameworks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for POST requests to the Gotenberg URL conversion endpoints that include mixed-case or uppercase file URL schemes, such as "FILE:///etc/passwd" or "File:///etc/passwd". These requests attempt to bypass the deny-list regex that only blocks lowercase "file:" schemes.
Specifically, detection involves inspecting requests to endpoints that convert URLs or HTML content referencing file URLs, looking for usage of mixed-case or uppercase "file:" schemes which should be blocked but are not due to the case-sensitive regex.
Suggested commands to detect such attempts include using network traffic inspection tools like tcpdump or tshark to filter HTTP POST requests containing mixed-case file URLs, for example:
- tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'POST' | grep -E 'FILE://|File://'
- tshark -Y 'http.request.method == "POST" && http contains "FILE://"' -T fields -e http.host -e http.request.uri
Additionally, reviewing application logs for requests containing mixed-case file URL schemes or analyzing PDF outputs for unexpected inclusion of local file contents (e.g., /etc/passwd) can help identify exploitation attempts.
Can you explain this vulnerability to me?
This vulnerability affects Gotenberg, an API used for converting document formats. Before version 8.29.0, a previously introduced fix for another vulnerability (CVE-2024-21527) could be bypassed by using mixed-case or uppercase URL schemes. This means that the security fix was not fully effective against certain variations in URL formatting, allowing potential exploitation.
How can this vulnerability impact me? :
Because the fix for a prior vulnerability can be bypassed using mixed-case or uppercase URL schemes, attackers might exploit this to circumvent security measures in Gotenberg versions prior to 8.29.0. This could lead to unauthorized actions or access through the API, potentially compromising the integrity or confidentiality of document conversions.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Gotenberg to version 8.29.0 or later, where the issue has been patched.