CVE-2026-35458
Published: 07 April 2026
Summary
CVE-2026-35458 is a critical-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Thecodingmachine Gotenberg. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 18.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-35458 by requiring timely patching of Gotenberg to versions after 8.29.1 that implement proper timeouts on regexp2 compilation.
Protects Gotenberg API against remote unauthenticated DoS exploitation causing indefinite worker hangs through rate limiting, timeouts, and resource exhaustion defenses.
Validates user-supplied scope patterns at the API interface to block malicious regular expressions before compilation by dlclark/regexp2.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The ReDoS vulnerability (CWE-1333) in the public-facing Gotenberg API allows remote unauthenticated attackers to submit malicious regex patterns that cause indefinite worker hangs, directly enabling Endpoint Denial of Service through Application or System Exploitation.
NVD Description
Gotenberg is an API for converting document formats. In 8.29.1 and earlier, Gotenberg uses dlclark/regexp2 to compile user-supplied scope patterns without setting a proper timeout. Users with access to features using this logic can hang workers indefinitely.
Deeper analysisAI
CVE-2026-35458 is a vulnerability in Gotenberg, an API for converting document formats, affecting versions 8.29.1 and earlier. The issue stems from Gotenberg's use of the dlclark/regexp2 library to compile user-supplied scope patterns without implementing a proper timeout. This flaw, classified as CWE-1333, allows malicious regular expressions to cause indefinite hangs in Gotenberg workers. The vulnerability received a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-04-07.
Remote attackers require only access to Gotenberg features that utilize this scope pattern compilation logic. No privileges, user interaction, or special conditions are needed, enabling unauthenticated exploitation over the network with low complexity. Successful attacks result in worker processes hanging indefinitely, achieving high impacts on confidentiality, integrity, and availability.
The official GitHub security advisory at https://github.com/gotenberg/gotenberg/security/advisories/GHSA-fmwg-qcqh-m992 provides further details on mitigation and patches.
Details
- CWE(s)