CVE-2026-27018
Received Received - Intake
URL Scheme Bypass Vulnerability in Gotenberg API Document Converter

Publication date: 2026-03-30

Last updated on: 2026-04-29

Assigner: GitHub, Inc.

Description
Gotenberg is an API for converting document formats. Prior to version 8.29.0, the fix introduced for CVE-2024-21527 can be bypassed using mixed-case or uppercase URL schemes. This issue has been patched in version 8.29.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-30
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-31
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27018
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
thecodingmachine gotenberg to 8.29.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Gotenberg, an API used for converting document formats. Before version 8.29.0, a previously introduced fix for another vulnerability (CVE-2024-21527) could be bypassed by using mixed-case or uppercase URL schemes. This means that the security fix was not fully effective against certain variations in URL formatting, allowing potential exploitation.

Impact Analysis

Because the fix for a prior vulnerability can be bypassed using mixed-case or uppercase URL schemes, attackers might exploit this to circumvent security measures in Gotenberg versions prior to 8.29.0. This could lead to unauthorized actions or access through the API, potentially compromising the integrity or confidentiality of document conversions.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Gotenberg to version 8.29.0 or later, where the issue has been patched.

Compliance Impact

CVE-2026-27018 is a high-severity vulnerability in Gotenberg that allows unauthenticated arbitrary file reads from the container. This can expose sensitive local files such as environment variables, configuration files, credentials, and other sensitive data.

Exposure of such sensitive data could lead to violations of data protection regulations and standards like GDPR and HIPAA, which require strict controls over personal and sensitive information. Unauthorized access to confidential files may result in non-compliance due to data breaches or improper handling of protected information.

Therefore, this vulnerability poses a significant risk to compliance with common standards and regulations by potentially exposing sensitive data that must be protected under these frameworks.

Detection Guidance

This vulnerability can be detected by monitoring for POST requests to the Gotenberg URL conversion endpoints that include mixed-case or uppercase file URL schemes, such as "FILE:///etc/passwd" or "File:///etc/passwd". These requests attempt to bypass the deny-list regex that only blocks lowercase "file:" schemes.

Specifically, detection involves inspecting requests to endpoints that convert URLs or HTML content referencing file URLs, looking for usage of mixed-case or uppercase "file:" schemes which should be blocked but are not due to the case-sensitive regex.

Suggested commands to detect such attempts include using network traffic inspection tools like tcpdump or tshark to filter HTTP POST requests containing mixed-case file URLs, for example:

  • tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'POST' | grep -E 'FILE://|File://'
  • tshark -Y 'http.request.method == "POST" && http contains "FILE://"' -T fields -e http.host -e http.request.uri

Additionally, reviewing application logs for requests containing mixed-case file URL schemes or analyzing PDF outputs for unexpected inclusion of local file contents (e.g., /etc/passwd) can help identify exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27018. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart