CVE-2026-40280

Exploit

EPSS 0.46%
Veröffentlicht 05.05.2026 20:16:38
Zuletzt bearbeitet 08.05.2026 19:06:45
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Gotenberg SSRF via case-insensitive URL scheme bypass in webhook and downloadFrom deny-lists

Gotenberg is an API-based document conversion tool. In versions 8.30.1 and earlier, the default private-IP deny-lists for the --webhook-deny-list and --api-download-from-deny-list flags use a case-sensitive regular expression (^https?://) to match URL schemes. Because Go's net/url.Parse() normalizes the scheme to lowercase before establishing the outbound TCP connection, an attacker can bypass the deny-list by simply capitalizing part of the URL scheme (e.g., HTTP://, HTTPS://, or Http://). This allows unauthenticated requests to reach internal network services, including private IP ranges, loopback addresses, and cloud instance metadata endpoints such as HTTP://169.254.169.254/latest/meta-data/. 

This bypasses the same security control that was patched in CVE-2026-27018.

This issue has been fixed in version 8.31.0.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Thecodingmachine ≫ Gotenberg Version < 8.31.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.46%	0.365

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	7.8	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://github.com/advisories/GHSA-jjwv-57xh-xr6r

Not Applicable

https://github.com/gotenberg/gotenberg/commit/3f01ca18d3cc21375a1e2da4b5a3f261c8548e47

Patch

https://github.com/gotenberg/gotenberg/security/advisories/GHSA-5q7p-7jgv-ww56

Vendor Advisory

Exploit

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2026-40280

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-40280

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-40280

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-40280