Gotenberg allows Chromium URL conversion routes to read arbitrary files under /tmp via file:// scheme — CVE-2026-42597
GHSA · GitHub · CVE-2026-42597
ID
CVE-2026-42597
CVE-2026-42597
Date
Updated
Activity
Source
GHSA
GHSA
Vendor
GitHub
GitHub
Threat
medium
medium
CVSS
5.9
5.9
Summary
## Summary The `/forms/chromium/convert/url` and `/forms/chromium/screenshot/url` routes accept `url=file:///tmp/...` from anonymous callers. The default Chromium deny-list intentionally exempts `file:///tmp/` so HTML/Markdown routes can load their own request-local assets, and those routes apply a per-request `AllowedFilePrefixes` guard to scope the read. The URL routes never set `AllowedFilePrefixes`, so the…
Product
go: github.com/gotenberg/gotenberg/v8
What to do
General, cautious steps (verify details in the official source):
- Review exposure and plan remediation based on risk and environment.
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.