Platform
go
Component
github.com/gotenberg/gotenberg/v8
Fixed in
8.29.1
8.29.0
CVE-2026-27018 is a high-severity vulnerability affecting Gotenberg v8, a Go-based image processing service. This issue allows attackers to bypass the built-in deny-list mechanism, potentially granting access to sensitive local files. The vulnerability stems from the case-insensitive nature of URI schemes, which Gotenberg's regex filter fails to account for, impacting versions prior to 8.29.0. Upgrade to version 8.29.0 to resolve this issue.
An attacker can exploit this vulnerability by crafting malicious URLs with mixed-case or uppercase schemes (e.g., FILE:///etc/passwd). Because URI schemes are case-insensitive, Chromium, which Gotenberg uses for rendering, normalizes the scheme to lowercase before navigation. This bypasses the regex-based deny-list check, allowing the attacker to access files outside the intended safe zone. The potential impact includes reading sensitive configuration files, source code, or other data stored locally on the server. While the vulnerability doesn't directly lead to remote code execution, it significantly expands the attack surface and could be a stepping stone for further exploitation.
This vulnerability was disclosed on 2026-03-30. There are currently no publicly available exploits, but the bypass is relatively straightforward to implement. The vulnerability is not currently listed on KEV or EPSS, suggesting a low to medium probability of exploitation. Review Gotenberg's security advisories for updates and further guidance.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
The primary mitigation is to upgrade Gotenberg to version 8.29.0 or later, which includes the corrected regex filter. If upgrading immediately is not feasible, consider implementing a reverse proxy or WAF rule to block requests with uppercase or mixed-case URL schemes. Specifically, block requests containing FILE: or file: followed by any characters. Monitor Gotenberg logs for unusual file access attempts. After upgrading, confirm the fix by attempting to access a known restricted file using a mixed-case URL scheme (e.g., FILE:///etc/passwd); the request should be denied.
Update Gotenberg to version 8.29.0 or higher. This version fixes the Chromium deny-list bypass vulnerability via case-insensitive URL schemes.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-27018 is a high-severity vulnerability in Gotenberg v8 that allows attackers to bypass the deny-list check and access local files using mixed-case or uppercase URL schemes.
You are affected if you are running Gotenberg v8 prior to version 8.29.0 and are exposed to external requests.
Upgrade Gotenberg to version 8.29.0 or later. As a temporary workaround, implement a WAF rule to block requests with uppercase or mixed-case URL schemes.
There are currently no confirmed reports of active exploitation, but the bypass is relatively simple to implement.
Refer to the Gotenberg security advisories on their official website or GitHub repository for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.