Description

Gotenberg is an API-based document conversion tool. In versions 8.30.1 and earlier, the default private-IP deny-lists for the --webhook-deny-list and --api-download-from-deny-list flags use a case-sensitive regular expression (^https?://) to match URL schemes. Because Go's net/url.Parse() normalizes the scheme to lowercase before establishing the outbound TCP connection, an attacker can bypass the deny-list by simply capitalizing part of the URL scheme (e.g., HTTP://, HTTPS://, or Http://). This allows unauthenticated requests to reach internal network services, including private IP ranges, loopback addresses, and cloud instance metadata endpoints such as HTTP://169.254.169.254/latest/meta-data/. This bypasses the same security control that was patched in CVE-2026-27018. This issue has been fixed in version 8.31.0.

INFO

Published Date :

2026-05-05T19:52:40.327Z

Last Modified :

2026-05-05T19:52:40.327Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-40280 vulnerability.

Vendors Products
Gotenberg
  • Gotenberg
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-40280.

URL Resource
https://github.com/advisories/GHSA-jjwv-57xh-xr6r cve-icon cve-icon
https://github.com/gotenberg/gotenberg/commit/3f01ca18d3cc21375a1e2da4b5a3f261c8548e47 cve-icon cve-icon
https://github.com/gotenberg/gotenberg/security/advisories/GHSA-5q7p-7jgv-ww56 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability