CVE-2026-40280: Gotenberg Auth Bypass Vulnerability

CVE-2026-40280 Overview

CVE-2026-40280 is a Server-Side Request Forgery (SSRF) vulnerability in Gotenberg, an API-based document conversion tool. Versions 8.30.1 and earlier ship deny-lists for the --webhook-deny-list and --api-download-from-deny-list flags that use a case-sensitive regular expression (^https?://) to filter URL schemes. Attackers bypass the filter by capitalizing the scheme (for example HTTP:// or Http://), allowing unauthenticated requests to reach internal services. The flaw reintroduces the same security weakness previously addressed in CVE-2026-27018. Maintainers fixed the issue in Gotenberg 8.31.0.

Critical Impact

Unauthenticated attackers can reach private IP ranges, loopback interfaces, and cloud instance metadata endpoints such as http://169.254.169.254/latest/meta-data/, exposing credentials and internal services.

Affected Products

• Gotenberg versions 8.30.1 and earlier
• Deployments using --webhook-deny-list for outbound webhook filtering
• Deployments using --api-download-from-deny-list for asset download filtering

Discovery Timeline

• 2026-05-05 - CVE-2026-40280 published to NVD
• 2026-05-07 - Last updated in NVD database

Technical Details for CVE-2026-40280

Vulnerability Analysis

Gotenberg accepts URLs from API clients for webhooks and remote asset downloads. Operators rely on deny-list flags to block requests targeting internal infrastructure. The default deny-list patterns include the regular expression ^https?:// to anchor scheme matching. This regex is case-sensitive, so it only matches lowercase http:// and https:// prefixes.

Go's net/url.Parse() normalizes the scheme to lowercase before opening the outbound TCP connection. As a result, an attacker can submit a URL with mixed-case or uppercase scheme such as HTTP://169.254.169.254/, bypass the regex check, and still trigger a valid HTTP request to the target. The bypass restores SSRF capability that the project previously fixed in CVE-2026-27018, indicating an incomplete remediation.

The weakness is classified as [CWE-918] Server-Side Request Forgery. Successful exploitation lets attackers reach loopback addresses, RFC 1918 private ranges, and cloud metadata services, which often expose IAM credentials on AWS, GCP, and Azure.

Root Cause

The root cause is a case-sensitive regular expression used for security filtering against input that downstream code normalizes to a different case. The deny-list anchor ^https?:// does not match HTTP://, HTTPS://, or Http://, but the Go HTTP client treats those schemes as equivalent after normalization. The mismatch between the validation layer and the execution layer creates a parser differential that voids the deny-list.

Attack Vector

An unauthenticated attacker sends a conversion request to a Gotenberg endpoint that accepts a URL parameter, such as a webhook callback or remote download URL. The attacker supplies a URL with a capitalized scheme pointing at an internal target. Gotenberg's deny-list regex fails to match, the request passes validation, and the server issues an outbound HTTP request to the internal resource. The attacker receives the response or its side effects through the service workflow.

The vulnerability mechanism is documented in the GitHub Security Advisory GHSA-5q7p-7jgv-ww56 and the upstream fix commit.

Detection Methods for CVE-2026-40280

Indicators of Compromise

• Outbound requests from Gotenberg containers to 169.254.169.254, 127.0.0.1, or RFC 1918 ranges
• Inbound API requests with URL parameters containing uppercase or mixed-case schemes such as HTTP://, HTTPS://, or Http://
• Gotenberg access logs showing webhook or download URLs with non-lowercase schemes
• Unexpected DNS lookups from the Gotenberg host targeting internal hostnames

Detection Strategies

• Inspect HTTP request bodies and query strings reaching Gotenberg for URL fields that do not match a strict lowercase ^https?:// pattern
• Correlate Gotenberg outbound connections against an allow-list of expected webhook destinations
• Alert on any outbound traffic from the Gotenberg service to link-local or metadata IP addresses
• Review reverse-proxy or WAF logs for SSRF probing patterns referencing cloud metadata paths

Monitoring Recommendations

• Capture network flow logs for the Gotenberg workload and forward them to a centralized analytics platform
• Enable egress filtering at the host or network layer and log every blocked attempt to internal ranges
• Track Gotenberg version strings across the fleet to identify hosts still running 8.30.1 or earlier

How to Mitigate CVE-2026-40280

Immediate Actions Required

• Upgrade Gotenberg to version 8.31.0 or later on every deployment
• Block egress from the Gotenberg workload to 169.254.169.254, loopback, and private IP ranges at the network layer
• Rotate any cloud IAM credentials that may have been exposed through the instance metadata service
• Audit recent Gotenberg API requests for URL parameters using uppercase schemes

Patch Information

The maintainers fixed the deny-list bypass in Gotenberg 8.31.0. The patch updates the scheme-matching logic so that uppercase and mixed-case schemes are normalized before the deny-list check. Review the fix commit 3f01ca18 and the GHSA-jjwv-57xh-xr6r advisory for full technical details.

Workarounds

• Place Gotenberg behind a reverse proxy that rejects requests containing URL parameters with non-lowercase schemes
• Enforce IMDSv2 on AWS instances to require session tokens for metadata access
• Run Gotenberg in a network namespace or VPC with no route to internal services or metadata endpoints
• Apply strict egress firewall rules limiting outbound traffic to known webhook destinations

# Example egress restriction using iptables to block metadata access
iptables -A OUTPUT -d 169.254.169.254 -j DROP
iptables -A OUTPUT -d 127.0.0.0/8 -j DROP
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -j DROP