Gotenberg has an unauthenticated denial of service via echo.Context pool reuse in webhook async goroutine — CVE-2026-42594
GHSA · GitHub · CVE-2026-42594
ID
CVE-2026-42594
CVE-2026-42594
Date
Updated
Activity
Source
GHSA
GHSA
Vendor
GitHub
GitHub
Threat
high
high
CVSS
7.5
7.5
Summary
## Summary The webhook middleware spawns a goroutine that holds a reference to the request's `echo.Context` after the synchronous handler returns `ErrAsyncProcess` and Echo recycles the context back to its `sync.Pool`. When a concurrent request claims the recycled context, `c.Reset()` clears the store. If the webhook goroutine reaches `hardTimeoutMiddleware` at that moment, an unchecked type assertion on a nil…
Product
go: github.com/gotenberg/gotenberg/v8
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.