CVE intelligence and bounded remediation

CVE-2026-39383 — Gotenberg is an API-based document conversion tool

High CVSS 7.2

Gotenberg is an API-based document conversion tool. In version 8.29.1, an unauthenticated attacker with network access can force the server to make outbound HTTP POST requests to arbitrary internal or external destinations by supplying a crafted URL in the Gotenberg-Webhook-Url request header. The FilterDeadline function in filter.go is intended to gate outbound URLs, but when both the allow-list and deny-list are empty (the default configuration), it returns nil unconditionally and permits any URL. This is a blind SSRF: Gotenberg POSTs the converted document to the webhook URL and only checks whether the response status code is an error, but never returns the target's response body to the attacker. An attacker can use this to probe internal network infrastructure by observing whether the error callback is invoked, force POST requests against internal services that perform side effects, and confirm reachability of cloud metadata endpoints. The retryable HTTP client issues up to 4 automatic retries per request, amplifying each probe. This issue has been fixed in version 8.31.0. As a workaround, configure the GOTENBERG_API_WEBHOOK_ALLOW_LIST environment variable to restrict webhook…

Severity
High
CVSS
7.2 (3.1)
Published
2026-05-05
CISA KEV
Not currently listed
Ecosystem
software/application
Weaknesses
CWE-918

Affected products

  • thecodingmachine / gotenberg

Matched remediation archetype

Server-side request forgery and unintended proxying

This catalog composition supplies bounded fallback guidance. Explicitly reviewed curated workflows load with the complete record below.

Check exposure

  • Inventory server-side URL fetchers, webhooks, importers, previews, redirects, proxies, and protocol handlers reachable from untrusted input.
  • Map egress paths to internal services, metadata endpoints, loopback, private address space, and privileged control planes.
  • Review DNS resolution, redirect, proxy, credential-forwarding, and URL parsing behavior without requesting sensitive targets.

Remediate safely

  • Replace arbitrary destinations with named integrations or a strict allowlist of schemes, hosts, ports, and paths.
  • Resolve and validate every destination and redirect hop, then enforce egress policy independently of application checks.
  • Remove ambient credentials and sensitive headers from fetchers; apply response size, time, and content limits.

Authoritative sources

Complete CVE record and remediation plan

The detailed catalog view below loads this exact record, its source evidence, and the full seven-phase agentic change plan.