CVE-2026-27018: Gotenberg has Chromium deny-list bypass via case-insensitive URL scheme (bypass of GHSA-rh2x-ccvw-q7r3)
(updated )
The fix introduced in version 8.1.0 for GHSA-rh2x-ccvw-q7r3 (CVE-2024-21527) can be bypassed using mixed-case or uppercase URL schemes.
The default --chromium-deny-list value is ^file:(?!//\/tmp/).*. This regex is anchored to lowercase file: at the start. However, per RFC 3986 Section 3.1, URI schemes are case-insensitive. Chromium normalizes the scheme to lowercase before navigation, so a URL like FILE:///etc/passwd or File:///etc/passwd bypasses the deny-list check but still gets resolved by Chromium as file:///etc/passwd.
The root cause is in pkg/gotenberg/filter.go — the FilterDeadline function compiles the deny-list regex with regexp2.MustCompile(denied.String(), 0), where 0 means no flags (case-sensitive). Since the regex pattern itself doesn’t include a (?i) flag, matching is strictly case-sensitive.
This affects both the URL endpoint and HTML conversion (via iframes, link tags, etc.).
References
- github.com/advisories/GHSA-jjwv-57xh-xr6r
- github.com/gotenberg/gotenberg
- github.com/gotenberg/gotenberg/commit/06b2b2e10c52b58135edbfe82e94d599eb0c5a11
- github.com/gotenberg/gotenberg/commit/8625a4e899eb75e6fcf46d28394334c7fd79fff5
- github.com/gotenberg/gotenberg/releases/tag/v8.29.0
- github.com/gotenberg/gotenberg/security/advisories/GHSA-jjwv-57xh-xr6r
- github.com/gotenberg/gotenberg/security/advisories/GHSA-rh2x-ccvw-q7r3
- nvd.nist.gov/vuln/detail/CVE-2026-27018
Code Behaviors & Features
Detect and mitigate CVE-2026-27018 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →