Cyber Resilience

CVE-2026-27018

HighPublic PoC

Published: 30 March 2026

Published
30 March 2026
Modified
08 April 2026
KEV Added
Patch
CVSS Score v4 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0054 41.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-27018 is a high-severity Path Traversal (CWE-22) vulnerability in Thecodingmachine Gotenberg. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-27018 is a vulnerability in Gotenberg, an API for converting document formats, affecting versions prior to 8.29.0. It allows bypassing the fix previously introduced for CVE-2024-21527 by using mixed-case or uppercase URL schemes. The issue is classified under CWE-22 (Path Traversal) and CWE-918 (Server-Side Request Forgery), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact from network-accessible exploitation.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. By submitting requests with manipulated URL schemes, they can circumvent the prior mitigation, potentially achieving unauthorized access to sensitive data as reflected in the high confidentiality impact score.

The vulnerability has been addressed in Gotenberg version 8.29.0. Mitigation details are available in the GitHub security advisory GHSA-jjwv-57xh-xr6r, the release notes at v8.29.0, and associated commits 06b2b2e10c52b58135edbfe82e94d599eb0c5a11 and 8625a4e899eb75e6fcf46d28394334c7fd79fff5. Security practitioners should upgrade to the patched version immediately.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Gotenberg is an API for converting document formats. Prior to version 8.29.0, the fix introduced for CVE-2024-21527 can be bypassed using mixed-case or uppercase URL schemes. This issue has been patched in version 8.29.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

SSRF + path traversal in public-facing Gotenberg API enables direct exploitation of the service (T1190) and reading of local files/sensitive data (T1005) by bypassing URL scheme filters.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42591Same product: Thecodingmachine Gotenberg
CVE-2026-42596Same product: Thecodingmachine Gotenberg
CVE-2026-42595Same product: Thecodingmachine Gotenberg
CVE-2026-42589Same product: Thecodingmachine Gotenberg
CVE-2026-40281Same product: Thecodingmachine Gotenberg
CVE-2026-40893Same product: Thecodingmachine Gotenberg
CVE-2026-42590Same product: Thecodingmachine Gotenberg
CVE-2026-35458Same product: Thecodingmachine Gotenberg
CVE-2026-42594Same product: Thecodingmachine Gotenberg
CVE-2026-30828Shared CWE-22, CWE-918

Affected Assets

thecodingmachine
gotenberg
≤ 8.29.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and remediation of flaws such as CVE-2026-27018 by upgrading Gotenberg to the patched version 8.29.0.

prevent

Mandates validation of information inputs like URL schemes to prevent bypasses via mixed-case or uppercase variations exploited in this vulnerability.

preventdetect

Enforces boundary protection to monitor and control communications, mitigating SSRF attempts by restricting unauthorized outbound requests triggered by malformed URL schemes.

References