Cyber Resilience

CVE-2026-35458

HighPublic PoC

Published: 07 April 2026

Published
07 April 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0050 38.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-35458 is a high-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Thecodingmachine Gotenberg. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 38.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-35458 is a vulnerability in Gotenberg, an API for converting document formats, affecting versions 8.29.1 and earlier. The issue stems from Gotenberg's use of the dlclark/regexp2 library to compile user-supplied scope patterns without implementing a proper timeout. This flaw, classified as CWE-1333, allows malicious regular expressions to cause indefinite hangs in Gotenberg workers. The vulnerability received a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-04-07.

Remote attackers require only access to Gotenberg features that utilize this scope pattern compilation logic. No privileges, user interaction, or special conditions are needed, enabling unauthenticated exploitation over the network with low complexity. Successful attacks result in worker processes hanging indefinitely, achieving high impacts on confidentiality, integrity, and availability.

The official GitHub security advisory at https://github.com/gotenberg/gotenberg/security/advisories/GHSA-fmwg-qcqh-m992 provides further details on mitigation and patches.

EU & UK References

Vulnerability details

Gotenberg is an API for converting document formats. In 8.29.1 and earlier, Gotenberg uses dlclark/regexp2 to compile user-supplied scope patterns without setting a proper timeout. Users with access to features using this logic can hang workers indefinitely.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The ReDoS vulnerability (CWE-1333) in the public-facing Gotenberg API allows remote unauthenticated attackers to submit malicious regex patterns that cause indefinite worker hangs, directly enabling Endpoint Denial of Service through Application or System Exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42594Same product: Thecodingmachine Gotenberg
CVE-2026-42596Same product: Thecodingmachine Gotenberg
CVE-2026-42589Same product: Thecodingmachine Gotenberg
CVE-2026-40893Same product: Thecodingmachine Gotenberg
CVE-2026-42595Same product: Thecodingmachine Gotenberg
CVE-2026-42591Same product: Thecodingmachine Gotenberg
CVE-2026-40281Same product: Thecodingmachine Gotenberg
CVE-2026-42590Same product: Thecodingmachine Gotenberg
CVE-2026-27018Same product: Thecodingmachine Gotenberg
CVE-2025-70030Shared CWE-1333

Affected Assets

thecodingmachine
gotenberg
≤ 8.29.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2026-35458 by requiring timely patching of Gotenberg to versions after 8.29.1 that implement proper timeouts on regexp2 compilation.

prevent

Protects Gotenberg API against remote unauthenticated DoS exploitation causing indefinite worker hangs through rate limiting, timeouts, and resource exhaustion defenses.

prevent

Validates user-supplied scope patterns at the API interface to block malicious regular expressions before compilation by dlclark/regexp2.

References