SCA: security update for github.com/gotenberg/gotenberg/v8 (GHSA-5vh4-rgv7-p9g4)

medium Tenable Cloud Security Plugin ID 441038

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Gotenberg is an API-based document conversion tool. In version 8.29.1, an unauthenticated attacker with
network access can force the server to make outbound HTTP POST requests to arbitrary internal or external
destinations by supplying a crafted URL in the Gotenberg-Webhook-Url request header. The FilterDeadline
function in filter.go is intended to gate outbound URLs, but when both the allow-list and deny-list are
empty (the default configuration), it returns nil unconditionally and permits any URL. This is a blind
SSRF: Gotenberg POSTs the converted document to the webhook URL and only checks whether the response
status code is an error, but never returns the target's response body to the attacker. An attacker can use
this to probe internal network infrastructure by observing whether the error callback is invoked, force
POST requests against internal services that perform side effects, and confirm reachability of cloud
metadata endpoints. The retryable HTTP client issues up to 4 automatic retries per request, amplifying
each probe. This issue has been fixed in version 8.31.0. As a workaround, configure the
GOTENBERG_API_WEBHOOK_ALLOW_LIST environment variable to restrict webhook URLs to known receivers, or set
GOTENBERG_API_WEBHOOK_DENY_LIST to block RFC-1918 and link-local address ranges. (CVE-2026-39383)

Solution

Update the github.com/gotenberg/gotenberg/v8 library and its related packages to version 8.31.0 or later.

See Also

https://github.com/advisories/GHSA-5vh4-rgv7-p9g4

Plugin Details

Severity: Medium

ID: 441038

Version: Revision 1.8

Type: Local

Family: SCA Checks

Published: 4/30/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 9.42

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2026-39383

CVSS v3

Risk Factor: High

Base Score: 7.2

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.9

Threat Score: 5.5

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/30/2026

Vulnerability Publication Date: 4/30/2026

Reference Information

CVE: CVE-2026-39383

cwe: CWE-918