CVE-2026-42596: Gotenberg vulnerable to unauthenticated SSRF via default deny-list bypass in downloadFrom and webhook

May 7, 2026 (updated May 14, 2026)

The default deny-lists used by Gotenberg’s downloadFrom feature and webhook feature are bypassable. Because the filter is regex-based and case-sensitive, an unauthenticated attacker can supply URLs such as http://[::ffff:127.0.0.1]:... and reach loopback or private HTTP services that the default deny-list is intended to block. This crosses a real security boundary because an external caller can force the server to make outbound requests to internal-only targets.

References

github.com/advisories/GHSA-4vmc-gm8v-m35h
github.com/gotenberg/gotenberg/security/advisories/GHSA-4vmc-gm8v-m35h
nvd.nist.gov/vuln/detail/CVE-2026-42596

Code Behaviors & Features

Detect and mitigate CVE-2026-42596 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →