CVE-2026-42595 - Gotenberg Chromium URL SSRF
Gotenberg’s Chromium URL-to-PDF endpoint could fetch arbitrary HTTP/HTTPS targets, including loopback, RFC 1918, and cloud metadata addresses. Even when operators configured deny-lists, redirects could send Chromium or Go HTTP clients to internal targets after the initial URL passed validation.
This is a context-egress issue for document conversion services: a benign “render this URL” workflow becomes an internal network read primitive.
When to use it
Use this recipe when a document conversion service, browser-rendering pipeline, or agent workflow sends user-controlled URLs to Gotenberg Chromium URL-to-PDF. It supports source-code remediation, context-egress review, redirect-aware URL policy, and audit evidence that conversion cannot reach loopback, private networks, or cloud metadata services.
Inputs
- Gotenberg version, Chromium route exposure, URL allow/deny policy, redirect handling, network egress controls, and deployment ingress.
- Source/config paths that accept URLs, call Gotenberg, validate destinations, follow redirects, render PDFs, or serialize conversion logs.
- Regression fixtures for private IPs, metadata IPs, loopback, redirect chains, allowed public URLs, mixed-case schemes, and expected deny behavior.
- Boundary evidence: reachable internal services, egress firewall/proxy policy, conversion callers, logs, and rollout owner.
Affected versions
| Package | Vulnerable versions | Fixed versions |
|---|---|---|
github.com/gotenberg/gotenberg/v8 |
<8.32.0 |
8.32.0 |
Indicator-of-exposure
- The repository deploys Gotenberg v8 before
8.32.0. /forms/chromium/convert/url,downloadFrom, or webhook features are reachable by users, tenants, jobs, agents, or internal services.- Gotenberg can route to cloud metadata, loopback, Kubernetes services, internal admin panels, monitoring endpoints, or private APIs.
- URL allow/deny policy only checks the initial URL and not redirect targets.
Quick checks:
rg -n "gotenberg|forms/chromium/convert/url|downloadFrom|Gotenberg-Webhook|webhook|8\\.3[01]|chromium.*deny|169\\.254\\.169\\.254" .
docker images | rg -i "gotenberg"
go list -m all 2>/dev/null | rg "gotenberg/gotenberg"
Remediation strategy
- Upgrade all Gotenberg deployments to
8.32.0+and pin image digests. - Add network egress policy that denies cloud metadata, loopback, link-local, private address ranges, cluster service CIDRs, and internal admin networks from the Gotenberg workload.
- Require explicit URL allow-lists for URL-to-PDF features where practical.
- Validate redirect destinations, not only the first URL.
- Add safe tests for internal-address and redirect denial using local fixtures.
The prompt
You are remediating CVE-2026-42595 in Gotenberg. Produce exactly one output:
- A reviewer-ready PR/change request that upgrades Gotenberg, hardens URL fetch
and egress policy, adds redirect-aware tests, refreshes generated artifacts,
and documents operator actions, or
- TRIAGE.md if this repository does not control an affected Gotenberg runtime.
## Rules
- Scope only CVE-2026-42595 and directly related Gotenberg SSRF controls.
- Do not request cloud metadata endpoints, internal admin panels, credentials,
Kubernetes APIs, or private services to prove exposure.
- Do not print or commit rendered internal responses, tokens, headers, PDFs,
metadata, cookies, or service discovery output.
- Do not rely on regex-only URL checks as the only mitigation.
- Do not auto-merge.
## Steps
1. Inventory Dockerfiles, compose files, Helm charts, Kubernetes manifests,
Terraform, lockfiles, Go modules, SBOMs, docs, and app config for Gotenberg.
2. Determine every Gotenberg version or image digest. A target is vulnerable if
it runs Gotenberg v8 `<8.32.0`.
3. Find all callers and exposed routes for `/forms/chromium/convert/url`,
`downloadFrom`, webhooks, URL-to-PDF conversion, and document conversion
APIs that accept user, tenant, workflow, or agent-supplied URLs.
4. Upgrade Gotenberg to `8.32.0+` and pin the image by digest where the repo
controls images. Regenerate manifests, SBOMs, deployment render output, and
dependency reports.
5. Add workload egress controls denying:
- `169.254.169.254` and cloud metadata ranges;
- loopback and link-local addresses;
- RFC 1918/private ranges unless explicitly allowed;
- Kubernetes service CIDRs and internal admin networks.
6. Add app-level URL policy where the repo owns callers:
- prefer allow-lists for trusted render origins;
- block redirects to denied ranges;
- limit fetch timeout, response size, and content type;
- log decisions without logging sensitive URLs or responses.
7. Add safe tests using local dummy hosts to assert private-address and
redirect targets are blocked. Do not contact real metadata services.
8. Add a PR body section named `CVE-2026-42595 operator actions` covering:
Gotenberg versions before/after, exposed conversion routes, egress policy,
URL allow-list posture, artifacts rebuilt, and whether logs should be
reviewed for suspicious internal URL conversion.
9. Run validation: deployment render, container build, policy tests, unit tests,
lint/typecheck, SBOM refresh, and dependency/security scans.
10. Use PR title:
`fix(sec): block Gotenberg Chromium SSRF`.
## Stop conditions
- Gotenberg is not present or is managed outside this repository.
- All controlled deployments already run `8.32.0+` and egress policy is
documented.
- Verification would require contacting real internal services or metadata
endpoints.
- The product intentionally allows arbitrary URL rendering from untrusted users
without egress policy; document the owner decision in TRIAGE.md.
Output contract
- A reviewer-ready PR or change request that upgrades Gotenberg, blocks metadata/internal egress, adds redirect-aware URL policy tests, and documents conversion pipeline controls.
- Or a
TRIAGE.mdfile that lists inspected files/config, owner, observed version, URL rendering boundary, egress policy, required fix, and residual risk. - The output must include exact validation commands and must not fetch cloud metadata, internal systems, local services, or customer documents.
Verification - what the reviewer looks for
- No controlled Gotenberg deployment runs
<8.32.0. - Egress policy blocks metadata, loopback, link-local, private, and cluster internal ranges unless explicitly justified.
- Redirect-aware tests prove deny policy is applied after redirects.
- No sensitive rendered response data is committed or logged.
Watch for
- Sidecar or worker Gotenberg deployments versioned separately from the main application.
- Caller-side URL allow-lists that miss redirects, DNS rebinding, IPv6, or IPv4-mapped IPv6 forms.
- Older Gotenberg SSRF advisories in the same upgrade window.
Related recipes
- Source code attack surface map
- Source code secrets and data exposure audit
- Source code injection sink audit
- OWASP Top 10 2026 audit
References
- GitHub Advisory: https://github.com/advisories/GHSA-chwh-f6gm-r836
- Vendor advisory: https://github.com/gotenberg/gotenberg/security/advisories/GHSA-chwh-f6gm-r836