CVE-2026-39383
Blind SSRF in Gotenberg Document Conversion Tool
Publication date: 2026-05-05
Last updated on: 2026-05-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gotenberg | gotenberg | to 8.29.1 (inc) |
| gotenberg | gotenberg | 8.31.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Gotenberg, an API-based document conversion tool. In version 8.29.1, an unauthenticated attacker with network access can exploit the Gotenberg-Webhook-Url request header to force the server to make outbound HTTP POST requests to arbitrary internal or external destinations.
The issue arises because the FilterDeadline function, which is supposed to restrict outbound URLs, returns nil and permits any URL when both the allow-list and deny-list are empty (the default configuration).
This is a blind Server-Side Request Forgery (SSRF) vulnerability where Gotenberg posts the converted document to the webhook URL but only checks if the response status code is an error, without returning the response body to the attacker.
An attacker can use this to probe internal network infrastructure, force POST requests against internal services that perform side effects, and confirm reachability of cloud metadata endpoints. The HTTP client retries requests up to 4 times, amplifying the impact.
The vulnerability was fixed in version 8.31.0. Workarounds include configuring environment variables to restrict or block webhook URLs.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to make your Gotenberg server send HTTP POST requests to arbitrary internal or external destinations without authentication.
This can be used to probe your internal network infrastructure, potentially revealing sensitive internal services or cloud metadata endpoints.
Attackers can also force POST requests that cause side effects on internal services, which could lead to unauthorized actions or data manipulation.
The automatic retries amplify the number of requests, increasing the potential impact.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, you should upgrade Gotenberg to version 8.31.0 or later where the issue is fixed.
As a workaround, configure the environment variables to restrict or block outbound webhook URLs:
- Set GOTENBERG_API_WEBHOOK_ALLOW_LIST to restrict webhook URLs to known receivers.
- Or set GOTENBERG_API_WEBHOOK_DENY_LIST to block RFC-1918 and link-local address ranges.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to make arbitrary outbound HTTP POST requests from the Gotenberg server to internal or external destinations. This can lead to unauthorized access or interaction with internal services and cloud metadata endpoints, potentially exposing sensitive information or enabling side effects within internal infrastructure.
Such unauthorized network interactions and potential data exposure could impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls over data access, confidentiality, and network security. Specifically, the ability to probe internal networks and access metadata endpoints may lead to breaches of confidentiality and unauthorized data disclosure.
Mitigations such as configuring allow-lists or deny-lists for webhook URLs are recommended to reduce the risk and help maintain compliance with these regulations by limiting outbound requests to trusted destinations only.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for outbound HTTP POST requests originating from the Gotenberg server that include the Gotenberg-Webhook-Url header with arbitrary or suspicious URLs. Since the vulnerability allows an attacker to supply a crafted URL in this header to force outbound requests, detecting unusual or unexpected POST requests to internal or external destinations can indicate exploitation attempts.
To detect exploitation attempts, you can inspect network traffic or logs for HTTP POST requests with the Gotenberg-Webhook-Url header. Additionally, checking for repeated outbound POST requests to internal IP ranges (such as RFC-1918 addresses) or cloud metadata endpoints (e.g., http://169.254.169.254/) can help identify probing activity.
Suggested commands to detect such activity include:
- Using tcpdump or tshark to capture outbound HTTP POST requests from the Gotenberg server:
- tcpdump -i <interface> -A 'tcp dst port 80 and (((ip src <gotenberg_ip>) and (tcp[13] & 8 != 0))' | grep 'Gotenberg-Webhook-Url'
- Using grep or similar tools on web server or application logs to find requests containing the Gotenberg-Webhook-Url header:
- grep -i 'Gotenberg-Webhook-Url' /path/to/gotenberg/logs/*
- Monitoring outbound HTTP POST requests to internal IP ranges or known cloud metadata endpoints:
- tcpdump -i <interface> -A 'tcp dst port 80 and (dst net 10.0.0.0/8 or dst net 172.16.0.0/12 or dst net 192.168.0.0/16 or dst host 169.254.169.254)'
These commands and monitoring strategies can help detect attempts to exploit the SSRF vulnerability by identifying unusual outbound POST requests triggered by crafted webhook URLs.