CVE-2026-40280 - Gotenberg SSRF deny-list bypass

Gotenberg <=8.30.1 contains a critical SSRF bypass in the URL filtering used for webhook and downloadFrom destinations. The private-IP deny-list patterns match lowercase schemes such as http://, while URL schemes are case-insensitive and Go normalizes them before making the outbound request.

An attacker can use uppercase or mixed-case schemes such as HTTP:// to bypass the deny-list and reach private networks, link-local services, loopback targets, or cloud metadata endpoints from the Gotenberg runtime.

Affected versions

• Vulnerable: Gotenberg <=8.30.1
• Fixed: Gotenberg 8.31.0+

Indicator-of-exposure

• Gotenberg v8 is deployed at or below 8.30.1.
• The service accepts user-controlled webhook URLs or downloadFrom entries.
• Runtime SSRF protection relies on deny-list regexes for URL schemes or private network ranges.
• The workload has egress access to internal services or metadata endpoints.

Quick checks:

rg -n "gotenberg|downloadFrom|WEBHOOK_DENY|DOWNLOAD_FROM_DENY|deny-list" .
docker image ls | rg 'gotenberg'
go list -m all | rg 'gotenberg/gotenberg'
kubectl get networkpolicy -A -o yaml | rg -n "gotenberg|egress|169\\.254|10\\.|172\\.|192\\.168"

Remediation strategy

• Upgrade Gotenberg to 8.31.0+ and pin image digests.
• Prefer explicit allow-lists for webhook and downloadFrom destinations over regex-only deny-lists.
• Add egress controls that block private ranges, loopback, link-local, and metadata endpoints from the Gotenberg workload.
• If upgrade cannot be immediate, restrict conversion endpoints to trusted callers and block mixed-case URL schemes at the ingress/proxy layer as a temporary mitigation.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-40280 (Gotenberg SSRF deny-list bypass). Produce
exactly one output:

- A reviewer-ready PR/change request that upgrades Gotenberg and hardens URL
  destination controls, or
- TRIAGE.md if a safe patch cannot be made from this repository.

## Rules

- Scope only CVE-2026-40280.
- Prefer Gotenberg `8.31.0+`; do not substitute ad hoc regex edits for the
  vendor-fixed release when an upgrade is possible.
- Treat URL scheme, host, redirects, and resolved IP addresses as untrusted.
- Do not auto-merge.

## Steps

1. Find all Gotenberg references in dependencies, Dockerfiles, compose files,
   Helm values, Terraform, Kubernetes manifests, SBOMs, and deployment docs.
2. If any reference resolves to `<=8.30.1`, upgrade it to `8.31.0+` and
   regenerate lockfiles or image metadata.
3. Replace deny-list-only controls with explicit destination allow-lists where
   the application has known webhook/download hosts.
4. Add runtime egress policy for Gotenberg that denies:
   - `127.0.0.0/8` and `::1`;
   - RFC1918 private ranges;
   - `169.254.0.0/16` and cloud metadata endpoints;
   - other internal service CIDRs used by this environment.
5. Add a regression or smoke-test note that mixed-case schemes such as
   `HTTP://169.254.169.254/` are rejected after the change.
6. Run build, tests, dependency scans, image scans, and deployment rendering
   available in this repo.
7. Use PR title:
   `fix(sec): remediate CVE-2026-40280 in Gotenberg`.

## Stop conditions

- The repo only consumes an externally managed Gotenberg service.
- `8.31.0+` is unavailable for the deployment channel.
- The only possible change would weaken URL filtering or broaden network egress.

Verification - what the reviewer looks for

• Gotenberg resolves to 8.31.0+ everywhere this repo controls.
• Webhook and downloadFrom destinations are constrained by allow-list or equivalent policy.
• Network egress prevents private/link-local/metadata access from the Gotenberg workload.
• Verification notes explicitly cover mixed-case URL scheme bypass attempts.

Watch for

• Fixes that only lowercase user input in one call path while leaving redirects, webhook callbacks, or downloadFrom handling unchecked.
• Private-IP deny-list regexes that are case-sensitive or only match host text before DNS resolution.
• Partial upgrades that leave worker images or cron conversion jobs on older Gotenberg tags.

References

• GitHub Advisory: https://github.com/advisories/GHSA-5q7p-7jgv-ww56
• Gotenberg release v8.31.0: https://github.com/gotenberg/gotenberg/releases/tag/v8.31.0
• Related earlier bypass CVE-2026-27018: https://github.com/advisories/GHSA-jjwv-57xh-xr6r