Cyber Resilience

CVE-2026-42596

CriticalPublic PoC

Published: 14 May 2026

Published
14 May 2026
Modified
18 May 2026
KEV Added
Patch
CVSS Score v3.1 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.0035 27.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-42596 is a critical-severity SSRF (CWE-918) vulnerability in Thecodingmachine Gotenberg. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, the default deny-lists used by Gotenberg's downloadFrom feature and webhook feature are bypassable. Because the filter is regex-based and case-sensitive, an unauthenticated attacker can supply URLs such as…

more

http://[::ffff:127.0.0.1]:... and reach loopback or private HTTP services that the default deny-list is intended to block. This crosses a real security boundary because an external caller can force the server to make outbound requests to internal-only targets. This vulnerability is fixed in 8.31.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct SSRF in public-facing API enabling internal service access via bypassable deny-list.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42591Same product: Thecodingmachine Gotenberg
CVE-2026-42595Same product: Thecodingmachine Gotenberg
CVE-2026-27018Same product: Thecodingmachine Gotenberg
CVE-2026-42589Same product: Thecodingmachine Gotenberg
CVE-2026-40281Same product: Thecodingmachine Gotenberg
CVE-2026-40893Same product: Thecodingmachine Gotenberg
CVE-2026-42590Same product: Thecodingmachine Gotenberg
CVE-2026-35458Same product: Thecodingmachine Gotenberg
CVE-2026-42594Same product: Thecodingmachine Gotenberg
CVE-2024-13195Shared CWE-918

Affected Assets

thecodingmachine
gotenberg
≤ 8.31.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-918

Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.

addresses: CWE-918

Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.

addresses: CWE-918

Validates server-side URLs and resource references to block SSRF attempts.

addresses: CWE-918

Detects server-side request forgery through monitoring of unexpected outbound connections.

References