CVE-2026-42594

7.5 HIGH

Gotenberg is a Docker-powered stateless API for PDF files

Published: 2026-05-14 · Last updated: 2026-05-18

Severity and scoring

CVSS: 7.5 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-362

Affected products

Vendor	Product
thecodingmachine	gotenberg

Description

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the webhook middleware spawns a goroutine that holds a reference to the request's echo.Context after the synchronous handler returns ErrAsyncProcess and Echo recycles the context back to its sync.Pool. When a concurrent request claims the recycled context, c.Reset() clears the store. If the webhook goroutine reaches hardTimeoutMiddleware at that moment, an unchecked type assertion on a nil store entry panics outside any recover() scope, crashing the Gotenberg process. Any anonymous caller reaches the webhook path (default webhook-deny-list filters only the webhook destination, not the submitter). A single-source stress of ~24 webhook requests plus ~60 GET /version requests crashes the process in about two seconds. This vulnerability is fixed in 8.32.0.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-42594
[Vendor advisory]https://github.com/gotenberg/gotenberg/security/advisories/GHSA-r33j-c622-r6qp
[Vendor advisory]https://github.com/gotenberg/gotenberg/security/advisories/GHSA-r33j-c622-r6qp

Related CVEs

Same vendor

CVE-2026-42597 — Gotenberg is a Docker-powered stateless API for PDF files (5.9 MEDIUM)
CVE-2026-42596 — Gotenberg is a Docker-powered stateless API for PDF files (9.4 CRITICAL)
CVE-2026-42595 — Gotenberg is a Docker-powered stateless API for PDF files (8.6 HIGH)
CVE-2026-42593 — Gotenberg is a Docker-powered stateless API for PDF files (5.3 MEDIUM)
CVE-2026-42592 — Gotenberg is a Docker-powered stateless API for PDF files (5.3 MEDIUM)

Same CWE

CVE-2026-12022 — Race in Safe Browsing in Google Chrome on Mac prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process ... (8.3 HIGH)
CVE-2026-46693 — ImageMagick is free and open-source software used for editing and manipulating digital images (4.1 MEDIUM)
CVE-2026-44693 — Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker (8.8 HIGH)
CVE-2022-26758 — A malicious application may cause unexpected changes in memory shared between processes (7.1 HIGH)
CVE-2026-1220 — Race in V8 in Google Chrome prior to 144.0.7559.99 allowed a remote attacker to potentially exploit type confusion via a crafted HTML page (7.5 HIGH)