CRITICAL🇵🇱 Wersja polska

CVE-2026-42589

CVSS 9.8v3.1pub. 2026-05-14upd. 2026-05-18

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg's /forms/pdfengines/metadata/write HTTP endpoint accepts a JSON metadata object and passes its keys directly to ExifTool via the go-exiftool library. No validation is performed on key characters. A \n embedded in a JSON key splits the ExifTool stdin stream into a new argument line, allowing an attacker to inject arbitrary ExifTool flags — including -if, which evaluates Perl expressions. This achieves unauthenticated OS command execution in a single HTTP request. The response is HTTP 200 with a valid PDF, making the attack transparent to basic monitoring. This vulnerability is fixed in 8.31.0.

🤖 AI Analysis
How it works

The /forms/pdfengines/metadata/write endpoint accepts a JSON object with metadata and passes its keys directly to the ExifTool utility (via the go-exiftool library) without any character validation. Embedding a newline character (\n) in a JSON key causes the ExifTool stdin stream to split into a new argument line, allowing the attacker to inject arbitrary ExifTool flags. The -if flag enables Perl expression evaluation, which consequently leads to the execution of arbitrary operating system commands within a single HTTP request.

Impact

An unauthenticated attacker can achieve complete remote code execution (RCE) on the server hosting the Gotenberg container, thereby gaining access to sensitive data, ability to modify the system, or complete takeover.

Mitigation & patch

Gotenberg should be updated to version 8.31.0 or newer, in which the vulnerability has been fixed. Additionally, it is recommended to restrict network access to Gotenberg API endpoints exclusively to trusted sources at the firewall or network layer.

Who is affected

Gotenberg (Docker application) in versions prior to 8.31.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Thecodingmachine Gotenberg

    APP
    Thecodingmachine
    < 8.31.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
ContainerCommand Injection
CWE
References

Related vulnerabilities

CVE-2026-42596CRITICAL9.4PL ✓ten sam produkt

SSRF w Gotenberg — ominięcie deny-list przez IPv6-mapped adresy

CVE-2026-40281CRITICAL10.0PL ✓ten sam produkt

Gotenberg: injection w wartościach metadanych — zapis plików i symlinki

CVE-2020-13451CRITICAL9.8ten sam produkt

An incomplete-cleanup vulnerability in the Office rendering engine of Gotenberg through 6.2.1 allows an attack...

CVE-2020-13450CRITICAL9.8ten sam produkt

A directory traversal vulnerability in file upload function of Gotenberg through 6.2.1 allows an attacker to u...

CVE-2020-13452CRITICAL9.8ten sam produkt

In Gotenberg through 6.2.1, insecure permissions for tini (writable by user gotenberg) potentially allow an at...