CVE-2026-55229
Received Received - Intake

Gotenberg LibreOffice SSRF via Document Conversion

Vulnerability report for CVE-2026-55229, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.34.0, Gotenberg's /forms/libreoffice/convert endpoint allows a specially crafted document to cause LibreOffice to automatically retrieve external HTTP(S) resources and local file resources during document conversion, enabling blind SSRF and limited local file disclosure via linked image resource loading. This issue is fixed in version 8.34.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-11
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gotenberg gotenberg 8.34.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability in Gotenberg prior to version 8.34.0 allows an attacker to cause LibreOffice to retrieve external HTTP(S) and local file resources during document conversion, enabling blind SSRF and limited local file disclosure. This could potentially lead to unauthorized access to sensitive information.

Such unauthorized access and data disclosure may impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and disclosure.

However, specific impacts on compliance depend on the context in which Gotenberg is used and the nature of the data processed.

Executive Summary

This vulnerability exists in Gotenberg, a Docker-powered stateless API for PDF files, specifically in versions prior to 8.34.0. The issue is in the /forms/libreoffice/convert endpoint, where a specially crafted document can cause LibreOffice to automatically retrieve external HTTP(S) resources and local file resources during document conversion.

This behavior enables blind Server-Side Request Forgery (SSRF) and limited local file disclosure through linked image resource loading.

The vulnerability is fixed in version 8.34.0.

Impact Analysis

The vulnerability can impact you by allowing an attacker to perform blind SSRF attacks, which means the attacker can make the server send requests to arbitrary external or internal resources without your knowledge.

Additionally, it allows limited local file disclosure, meaning an attacker could potentially access certain local files on the server by exploiting linked image resource loading during document conversion.

These impacts can lead to unauthorized information disclosure and potentially further exploitation depending on the internal network and file system exposure.

Mitigation Strategies

To mitigate this vulnerability, upgrade Gotenberg to version 8.34.0 or later, where the issue has been fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55229. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart