CVE-2026-42597: Gotenberg allows Chromium URL conversion routes to read arbitrary files under /tmp via file:// scheme

May 7, 2026 (updated May 14, 2026)

The /forms/chromium/convert/url and /forms/chromium/screenshot/url routes accept url=file:///tmp/... from anonymous callers. The default Chromium deny-list intentionally exempts file:///tmp/ so HTML/Markdown routes can load their own request-local assets, and those routes apply a per-request AllowedFilePrefixes guard to scope the read. The URL routes never set AllowedFilePrefixes, so the scope guard silently skips. Alice enumerates /tmp/, walks Gotenberg’s per-request working directories, and reads the raw source files of other in-flight conversions as rendered PDF output.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-42597 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →