安全情报

CVE-2026-42596 - Gotenberg vulnerable to unauthenticated SSRF via default deny-list bypass in dow

AiRedTeam

09 May 2026 • 阅读时间 1 分钟

📡 GitHub-Advisory · 2026-05-07

CVE-2026-42596 - Gotenberg vulnerable to unauthenticated SSRF via default deny-list bypass in dow

CVE-2026-42596

GHSA-4vmc-gm8v-m35h CRITICAL go/github.com/gotenberg/gotenberg/v8

CVE: CVE-2026-42596

Summary

The default deny-lists used by Gotenberg's downloadFrom feature and webhook feature are bypassable. Because the filter is regex-based and case-sensitive, an unauthenticated attacker can supply URLs such as http://[::ffff:127.0.0.1]:... and reach loopback or private HTTP services that the default deny-list is intended to block. This crosses a real security boundary because an external caller can force the server to make outbound requests to internal-only targets.

Details

The issue originates from the shipped default deny-list regexes and the way those regexes are applied:

pkg/modules/api/api.go:198-200 defines the default api-download-from-deny-list.
pkg/modules/webhook/webhook.go:41-43 defines the default webhook-deny-list.
pkg/gotenberg/filter.go:20-69 evaluates those patterns with regexp2 using case-sensitive matching.

The attacker-controlled URL then reaches outbound request sinks:

pkg/modules/api/context.go:208-282

- Reads attacker-supplied downloadFrom.

- Calls gotenberg.FilterDeadline(...).

- Issues an outbound GET with retryablehttp.NewRequest(...) and client.Do(...).

pkg/modules/webhook/middleware.go:99-217

- Reads Gotenberg-Webhook-Url and Gotenberg-Webhook-Events-Url.

- Calls gotenberg.FilterDeadline(...).

- Constructs a client for outbound delivery.

pkg/modules/webhook/client.go:39-152

- Sends the success or error webhook request.

pkg/modules/webhook/client.go:155-216

- Sends the webhook event request.

Why the bypass works:

1. The default deny-list only blocks lowercase http:// and https:// prefixes.

2. The filtering logic performs case-sensitive regex matching on the raw user input.

3. Go's HTTP stack accepts multiple textual representations of loopback/private addresses that are not covered by the default regex, including IPv4-mapped IPv6 loopback like http://[::ffff:127.0.0.1]:18081/....

4. As a result, a URL can fail the deny-list check but still be int

📌 来源: GitHub-Advisory | 🆔 CVE-2026-42596 | 📅 2026-05-07