CVE-2026-39383

Source
https://cve.org/CVERecord?id=CVE-2026-39383
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-39383.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-39383
Aliases
Published
2026-05-05T20:39:03.651Z
Modified
2026-07-08T08:13:03.350956480Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Gotenberg unauthenticated blind SSRF via unfiltered webhook URL
Details

Gotenberg is an API-based document conversion tool. In version 8.29.1, an unauthenticated attacker with network access can force the server to make outbound HTTP POST requests to arbitrary internal or external destinations by supplying a crafted URL in the Gotenberg-Webhook-Url request header. The FilterDeadline function in filter.go is intended to gate outbound URLs, but when both the allow-list and deny-list are empty (the default configuration), it returns nil unconditionally and permits any URL.

This is a blind SSRF: Gotenberg POSTs the converted document to the webhook URL and only checks whether the response status code is an error, but never returns the target's response body to the attacker. An attacker can use this to probe internal network infrastructure by observing whether the error callback is invoked, force POST requests against internal services that perform side effects, and confirm reachability of cloud metadata endpoints. The retryable HTTP client issues up to 4 automatic retries per request, amplifying each probe.

This issue has been fixed in version 8.31.0. As a workaround, configure the GOTENBERGAPIWEBHOOKALLOWLIST environment variable to restrict webhook URLs to known receivers, or set GOTENBERGAPIWEBHOOKDENYLIST to block RFC-1918 and link-local address ranges.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-918"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/39xxx/CVE-2026-39383.json"
}
References

Affected packages

Git / github.com/gotenberg/gotenberg

Affected ranges

Type
GIT
Repo
https://github.com/gotenberg/gotenberg
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "8.31.0"
        },
        {
            "introduced": "8.29.1"
        }
    ],
    "cpe": "cpe:2.3:a:thecodingmachine:gotenberg:*:*:*:*:*:*:*:*",
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ]
}

Affected versions

v8.*
v8.29.1
v8.30.0
v8.30.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-39383.json"