📄 Description (English)
Gotenberg is an API-based document conversion tool. In versions 8.30.1 and earlier, the default private-IP deny-lists for the --webhook-deny-list and --api-download-from-deny-list flags use a case-sensitive regular expression (^https?://) to match URL schemes. Because Go's net/url.Parse() normalizes the scheme to lowercase before establishing the outbound TCP connection, an attacker can bypass the deny-list by simply capitalizing part of the URL scheme (e.g., HTTP://, HTTPS://, or Http://). This allows unauthenticated requests to reach internal network services, including private IP ranges, loopback addresses, and cloud instance metadata endpoints such as HTTP://169.254.169.254/latest/meta-data/.
This bypasses the same security control that was patched in CVE-2026-27018.
This issue has been fixed in version 8.31.0.
🤖 AI Executive Summary
Gotenberg versions 8.30.1 and earlier contain a case-sensitivity bypass in URL scheme validation that allows attackers to circumvent private IP deny-lists through capitalized URL schemes (HTTP://, HTTPS://). This enables unauthenticated access to internal services and cloud metadata endpoints, potentially exposing sensitive infrastructure data. The vulnerability is actively exploitable and requires immediate patching to version 8.31.0.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 10, 2026 05:33
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using Gotenberg for document conversion services face significant risk, particularly in banking sector (SAMA-regulated institutions), government agencies (NCA oversight), healthcare providers, and energy sector operations. The vulnerability enables attackers to access internal metadata services and private networks, potentially exposing authentication credentials, API keys, and sensitive operational data. Cloud-hosted deployments in Saudi Arabia (AWS, Azure, Google Cloud) are particularly vulnerable to metadata endpoint exploitation. Government and financial institutions relying on Gotenberg for secure document processing are at highest risk of data exfiltration and lateral movement attacks.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Healthcare and Medical Services
Energy and Utilities
Telecommunications
Cloud Service Providers
Document Management Services
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all Gotenberg instances in your environment running versions 8.30.1 or earlier
2. Disable or restrict Gotenberg API access until patching is completed
3. Review webhook and API download configurations for any suspicious activity
4. Check cloud metadata endpoint access logs (169.254.169.254) for unauthorized requests
PATCHING:
1. Upgrade Gotenberg to version 8.31.0 or later immediately
2. Test the upgrade in a non-production environment first
3. Verify deny-list functionality post-upgrade with case-sensitive URL scheme testing
4. Restart all Gotenberg services after patching
COMPENSATING CONTROLS (if immediate patching not possible):
1. Implement network-level restrictions blocking access to 169.254.169.254 and private IP ranges
2. Deploy WAF rules to block requests with capitalized URL schemes (HTTP://, HTTPS://, Http://, etc.)
3. Restrict Gotenberg to internal-only access with strict firewall rules
4. Implement request logging and alerting for any attempts to access private IP ranges
5. Use network segmentation to isolate Gotenberg from sensitive systems
DETECTION:
1. Monitor for HTTP requests with non-standard case URL schemes (HTTP://, HTTPS://, Http://, hTTp://)
2. Alert on any Gotenberg requests to 169.254.169.254 or private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
3. Review webhook and API download logs for suspicious destinations
4. Implement IDS/IPS signatures for capitalized scheme bypass attempts
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع مثيلات Gotenberg في بيئتك التي تعمل بالإصدارات 8.30.1 أو أقدم
2. عطّل أو قيّد وصول Gotenberg API حتى يتم إكمال التصحيح
3. راجع تكوينات webhook وتنزيل API لأي نشاط مريب
4. تحقق من سجلات وصول نقطة نهاية البيانات الوصفية للسحابة (169.254.169.254) للطلبات غير المصرح بها
التصحيح:
1. قم بترقية Gotenberg إلى الإصدار 8.31.0 أو أحدث على الفور
2. اختبر الترقية في بيئة غير إنتاجية أولاً
3. تحقق من وظيفة قائمة الحظر بعد الترقية باستخدام اختبار مخطط URL حساس لحالة الأحرف
4. أعد تشغيل جميع خدمات Gotenberg بعد التصحيح
الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكنًا):
1. تنفيذ قيود على مستوى الشبكة لحظر الوصول إلى 169.254.169.254 ونطاقات IP الخاصة
2. نشر قواعد WAF لحظر الطلبات ذات مخططات URL بأحرف كبيرة
3. تقييد Gotenberg للوصول الداخلي فقط مع قواعد جدار الحماية الصارمة
4. تنفيذ تسجيل التنبيهات لأي محاولات للوصول إلى نطاقات IP الخاصة
5. استخدم تقسيم الشبكة لعزل Gotenberg عن الأنظمة الحساسة
الكشف:
1. مراقبة طلبات HTTP ذات مخططات URL غير قياسية الحالة
2. تنبيه على أي طلبات Gotenberg إلى 169.254.169.254 أو نطاقات IP الخاصة
3. مراجعة سجلات webhook وتنزيل API للوجهات المريبة
4. تنفيذ توقيعات IDS/IPS لمحاولات تجاوز المخطط
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.14.2.1 - Secure development and change management
ECC 2024 A.14.2.5 - Access control for development and testing
ECC 2024 A.8.3.1 - Access control implementation
ECC 2024 A.13.1.3 - Segregation of networks
🔵 SAMA CSF
SAMA CSF ID.AM-2 - Software inventory and asset management
SAMA CSF PR.AC-1 - Access control and authentication
SAMA CSF PR.AC-3 - Network segmentation and segregation
SAMA CSF DE.CM-1 - Detection and monitoring of unauthorized access
🟡 ISO 27001:2022
ISO 27001:2022 A.8.1.1 - User endpoint devices
ISO 27001:2022 A.8.3.1 - Access control
ISO 27001:2022 A.13.1.3 - Segregation of networks
ISO 27001:2022 A.14.2.1 - Secure development policy
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Security patches and updates
PCI DSS 6.5.1 - Injection flaws prevention
PCI DSS 1.3 - Network segmentation
🔗 References & Sources 4
🔗
https://github.com/advisories/GHSA-jjwv-57xh-xr6r
security-advisories@github.com
Not Applicable
🔗
https://github.com/gotenberg/gotenberg/commit/3f01ca18d3cc21375a1e2da4b5a3f261c8548e47
security-advisories@github.com
Patch
🔗
https://github.com/gotenberg/gotenberg/security/advisories/GHSA-5q7p-7jgv-ww56
security-advisories@github.com
Exploit
Mitigation
Vendor Advisory
🔗
https://github.com/gotenberg/gotenberg/security/advisories/GHSA-5q7p-7jgv-ww56
134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Mitigation
Vendor Advisory
📦 Affected Products / CPE 1 entries
thecodingmachine:gotenberg