CVE-2026-40280 in gotenberginfo

Zusammenfassung

von MITRE • 05.05.2026

Gotenberg is an API-based document conversion tool. In versions 8.30.1 and earlier, the default private-IP deny-lists for the --webhook-deny-list and --api-download-from-deny-list flags use a case-sensitive regular expression (^https?://) to match URL schemes. Because Go's net/url.Parse() normalizes the scheme to lowercase before establishing the outbound TCP connection, an attacker can bypass the deny-list by simply capitalizing part of the URL scheme (e.g., HTTP://, HTTPS://, or Http://). This allows unauthenticated requests to reach internal network services, including private IP ranges, loopback addresses, and cloud instance metadata endpoints such as HTTP://169.254.169.254/latest/meta-data/.

This bypasses the same security control that was patched in CVE-2026-27018.

This issue has been fixed in version 8.31.0.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Veröffentlichung

05.05.2026

Moderieren

akzeptiert

Eintrag

VDB-360392

CPE

bereit

CWE

CWE-918 (bestätigt)

CVSS

7.3 (VulDB)

EPSS

0.00014

KEV

nein

Aktivitäten

very low

Quellen

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-40280
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-40280
CVE Details	https://www.cvedetails.com/cve/CVE-2026-40280/

◂ Zurück Übersicht Weiter ▸

Do you know our Splunk app?

Download it now for free!