Gotenberg: Three High-Severity Bugs Disclosed Together — Race Condition, SSRF Bypass, Path Traversal

Key findings

• CVE-2026-45742: Concurrent map writes in multipart downloadFrom handler crash the process with no recovery
• CVE-2026-45741: IsPublicIP misclassifies 6to4, NAT64, and site-local IPv6 prefixes as public, enabling SSRF
• CVE-2026-44829: filepath.Base on Linux doesn't strip backslashes, allowing path traversal in zip entry names
• All three CVEs are high severity, remotely exploitable, and require no authentication
• No in-the-wild exploitation reported as of disclosure, but attack vectors are straightforward
• Patches pending; mitigations include network-layer filtering and request-size limits

On May 29, 2026, three high-severity vulnerabilities were disclosed together for Gotenberg, the popular open-source Docker-powered document conversion API. The batch — comprising CVE-2026-45742, CVE-2026-45741, and CVE-2026-44829 — was published within an 18-minute window and covers three distinct attack surfaces: a race condition that crashes the service, an SSRF deny-list bypass, and a path-traversal bug in zip entry name handling. All three carry high severity ratings and affect Gotenberg's core request-processing pipeline.

Race Condition via Multipart downloadFrom Handling (CVE-2026-45742)

CVE-2026-45742 describes a remote denial-of-service vulnerability in Gotenberg's multipart downloadFrom handler. When a single multipart request contains multiple downloadFrom entries, the server spawns concurrent goroutines that write to shared maps without synchronization. The result is a fatal error: concurrent map writes that terminates the entire Gotenberg process. An unauthenticated attacker can repeatedly trigger this condition, effectively taking the service offline. Because the crash is a Go runtime panic rather than a recoverable error, there is no graceful degradation — the container exits immediately.

SSRF Deny-List Bypass via IPv6 6to4 / NAT64 / Site-Local Prefixes (CVE-2026-45741)

CVE-2026-45741 targets Gotenberg's IsPublicIP function in pkg/gotenberg/outbound.go. The function is designed to block requests to private and link-local addresses, acting as a server-side request forgery (SSRF) safeguard. However, the implementation incorrectly classifies several IPv6 address categories as public:

• 6to4 addresses (2002::/16) — these embed an IPv4 address and can be crafted to point at internal destinations.
• NAT64 / DNS64 synthetic addresses (64:ff9b::/96) — used for IPv6-to-IPv4 translation, these can resolve to internal IPv4 ranges.
• Deprecated site-local addresses (fec0::/10) — originally intended for private use, they are no longer treated as private by the function.

An unauthenticated attacker can bypass the deny-list by registering or controlling a DNS AAAA record that resolves to one of these prefixes, then pointing Gotenberg's downloadFrom at that host. This allows reaching internal services such as cloud metadata endpoints (e.g., 169.254.169.254 on AWS, GCP, or Azure) or other internal network resources.

Path Traversal via Windows-Style Separators in Zip Entry Names (CVE-2026-44829)

CVE-2026-44829 exploits a subtle platform mismatch. Gotenberg runs on Linux containers but uses Go's filepath.Base for input sanitisation. On Linux, \ (backslash) is not a path separator — only / is. A multipart upload filename like ..\..\..\..\Windows\System32\evil.pdf passes through filepath.Base unchanged because the function only strips /-based directory components. The raw string then lands verbatim as the zip entry name when a multi-output route returns its results. An attacker can craft filenames that traverse out of the intended output directory, potentially overwriting files elsewhere in the container's filesystem.

Impact and Exploitation Context

All three vulnerabilities are remotely exploitable by unauthenticated attackers and require no special privileges. The race condition (CVE-2026-45742) is the most immediately disruptive — it crashes the process with no recovery short of a restart. The SSRF bypass (CVE-2026-45741) is the most dangerous for cloud deployments, where metadata services at 169.254.169.254 can expose instance credentials, access tokens, and configuration secrets. The path traversal (CVE-2026-44829) is constrained by the container filesystem but could still be used to overwrite configuration files or application data.

As of the disclosure date, there are no public reports of in-the-wild exploitation, but the attack vectors are straightforward to reproduce.

Response and Patch Status

The Gotenberg maintainers have acknowledged all three issues. Patches are expected in an upcoming release. Users should watch the Gotenberg GitHub releases page for the fixed version. In the interim, the following mitigations are recommended:

• **For CVE-2026-45742**: Restrict multipart request sizes and limit the number of downloadFrom entries per request via a reverse proxy or API gateway.
• **For CVE-2026-45741**: Deploy a network-layer firewall or egress proxy that blocks outbound connections to internal IP ranges, including IPv6-translated addresses. Alternatively, run Gotenberg in a network namespace with no access to internal services.
• **For CVE-2026-44829**: Sanitize upload filenames at the reverse-proxy level before they reach Gotenberg, stripping backslash characters.

Why This Batch Matters

Gotenberg is widely used in CI/CD pipelines, document-generation services, and SaaS platforms where untrusted user input is converted to PDFs or other formats. The three bugs disclosed together highlight a recurring theme in containerized applications: platform assumptions (Linux vs. Windows path handling, IPv4-centric IP classification, and unsynchronized goroutine access) create edge cases that are easy to miss in code review. Users running Gotenberg in multi-tenant or internet-facing environments should prioritize patching once the fix ships.