CVE-2026-45741: Gotenberg has an SSRF deny-list bypass in IsPublicIP via IPv6 6to4 / NAT64 / site-local prefixes

May 29, 2026

IsPublicIP in pkg/gotenberg/outbound.go incorrectly classifies IPv6 6to4 / NAT64 / deprecated site-local addresses as public IPs, allowing an unauthenticated attacker to reach internal destinations (e.g., cloud metadata services at 169.254.169.254) via a single crafted DNS AAAA record. This is a variant of CVE-2026-44430 (modelcontextprotocol/registry).

References

github.com/advisories/GHSA-86m8-88fq-xfxp
github.com/gotenberg/gotenberg/security/advisories/GHSA-86m8-88fq-xfxp
nvd.nist.gov/vuln/detail/CVE-2026-45741

Code Behaviors & Features

Detect and mitigate CVE-2026-45741 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →