CVE-2026-40280

Published: Mag 05, 2026 Last Modified: Mag 05, 2026
ExploitDB:
Other exploit source:
Google Dorks:
HIGH 7,8
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Confidentiality: N/A
Integrity: N/A
Availability: N/A

Description

AI Translation Available

Gotenberg is an API-based document conversion tool. In versions 8.30.1 and earlier, the default private-IP deny-lists for the --webhook-deny-list and --api-download-from-deny-list flags use a case-sensitive regular expression (^https?://) to match URL schemes. Because Go's net/url.Parse() normalizes the scheme to lowercase before establishing the outbound TCP connection, an attacker can bypass the deny-list by simply capitalizing part of the URL scheme (e.g., HTTP://, HTTPS://, or Http://). This allows unauthenticated requests to reach internal network services, including private IP ranges, loopback addresses, and cloud instance metadata endpoints such as HTTP://169.254.169.254/latest/meta-data/.

This bypasses the same security control that was patched in CVE-2026-27018.

This issue has been fixed in version 8.31.0.

918

Server-Side Request Forgery (SSRF)

Incomplete
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality Integrity Access Control
Potential Impacts:
Read Application Data Execute Unauthorized Code Or Commands Bypass Protection Mechanism
Applicable Platforms
Technologies: AI/ML, Web Based, Web Server
View CWE Details
https://github.com/advisories/GHSA-jjwv-57xh-xr6r
https://github.com/advisories/GHSA-jjwv-57xh-xr6r
https://github.com/gotenberg/gotenberg/commit/3f01ca18d3cc2…
https://github.com/gotenberg/gotenberg/commit/3f01ca18d3cc21375a1e2da4b5a3f261c…
https://github.com/gotenberg/gotenberg/security/advisories/…
https://github.com/gotenberg/gotenberg/security/advisories/GHSA-5q7p-7jgv-ww56