CVE-2026-40280
URL Scheme Bypass in Gotenberg Document Conversion Tool
Publication date: 2026-05-05
Last updated on: 2026-05-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gotenberg | gotenberg | to 8.31.0 (exc) |
| gotenberg | gotenberg | 8.31.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to bypass deny-lists and access internal network services, including private IP ranges and cloud instance metadata endpoints. This can lead to unauthorized access to sensitive internal data and services.
Such unauthorized access and potential data exposure could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls on access to sensitive personal and health information.
However, the provided context and resources do not explicitly discuss the direct impact on compliance with these regulations.
Can you explain this vulnerability to me?
CVE-2026-40280 is a Server-Side Request Forgery (SSRF) vulnerability in Gotenberg versions 8.30.1 and earlier. The issue arises because the default deny-lists for the --webhook-deny-list and --api-download-from-deny-list flags use a case-sensitive regular expression (^https?://) to match URL schemes.
Since Go's net/url.Parse() normalizes URL schemes to lowercase before making outbound connections, an attacker can bypass these deny-lists by capitalizing parts of the URL scheme (e.g., HTTP://, HTTPS://, or Http://). This allows unauthenticated requests to reach internal network services, including private IP ranges, loopback addresses, and cloud instance metadata endpoints.
This vulnerability enables attackers to circumvent security controls intended to block access to sensitive internal resources, potentially exposing internal services to unauthorized access.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to bypass deny-lists and send requests to internal network services that should be protected, such as private IP ranges, loopback addresses, and cloud instance metadata endpoints.
As a result, attackers can potentially access sensitive internal services, exfiltrate data from internal resources, or interact with cloud metadata services that may contain confidential information.
This can lead to unauthorized data exposure, compromise of internal infrastructure, and further exploitation within the affected environment.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for unusual or unauthorized outbound requests that use capitalized URL schemes such as HTTP://, HTTPS://, or Http:// which bypass the deny-lists.
You can inspect logs or network traffic for requests targeting internal IP ranges or metadata endpoints with capitalized URL schemes.
Suggested commands include using network monitoring tools like tcpdump or Wireshark to filter outbound HTTP requests with uppercase schemes, for example:
- tcpdump -i any -A 'tcp port 80 or tcp port 443' | grep -iE 'HTTP://|HTTPS://|Http://'
- grep -r -i 'HTTP://' /var/log/gotenberg/ or wherever Gotenberg logs are stored to find suspicious requests.
Additionally, reviewing application logs for webhook or API download requests that contain capitalized URL schemes can help identify exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Gotenberg to version 8.31.0 or later, where this vulnerability has been fixed.
The fix involves normalizing URL schemes to lowercase before applying deny-list checks and updating the deny-list regexes to be case-insensitive.
If upgrading immediately is not possible, consider manually patching or configuring the deny-lists to use case-insensitive regular expressions (e.g., using the (?i) flag) to block all variations of URL schemes.
Also, review and tighten network access controls to restrict outbound requests from Gotenberg to internal IP ranges and metadata endpoints.
Deprecate or avoid using the older webhook-error-allow-list and webhook-error-deny-list flags, and use the updated webhook-allow-list and webhook-deny-list flags with stricter deny patterns.