Aikido Intel
Secure My Code
Intel

AIKIDO-2026-10521

github.com/gotenberg/gotenberg/v8 is vulnerable to Server-Side Request Forgery (SSRF)

Server-Side Request Forgery (SSRF) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Apr 23, 2026

72

High Risk

This Affects:

GOgithub.com/gotenberg/gotenberg/v8
8.0.0 - 8.30.1
Fixed in 8.31.0
Are you affected? Scan for Free

TL;DR

An improper input validation issue in Gotenberg outbound URL filtering relied on regex-based allow and deny lists without robust host resolution or IP validation, allowing crafted URLs using hostname resolution, redirects, uppercase schemes, or IPv4-mapped IPv6 notation to access localhost, private networks, or cloud metadata services. This enabled server-side request forgery through download, Chromium fetch, or webhook features, potentially exposing internal services or sensitive metadata.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

github.com/gotenberg/gotenberg/v8 is vulnerable to Server-Side Request Forgery (SSRF) in versions 8.0.0 - 8.30.1.

How to fix this

Upgrade the github.com/gotenberg/gotenberg/v8 library to the patch version.

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done