CRITICAL🇵🇱 Wersja polska

CVE-2026-40281

CVSS 10.0v3.1pub. 2026-05-06upd. 2026-05-11

Gotenberg is a Docker-powered stateless API for PDF files. In versions 8.30.1 and earlier, the metadata write endpoint validates metadata keys for control characters but leaves metadata values unsanitized. A newline character in a metadata value splits the ExifTool stdin line into two separate arguments, allowing injection of arbitrary ExifTool pseudo-tags such as -FileName, -Directory, -SymLink, and -HardLink. This is a bypass of the incomplete key-sanitization fix introduced in v8.30.1. An unauthenticated attacker can rename or move any PDF being processed to an arbitrary path in the container filesystem, overwrite arbitrary files, or create symlinks and hard links at arbitrary paths.

🤖 AI Analysis
How it works

The metadata writing endpoint validates metadata keys for control characters, however metadata values remain unsanitized. Placing a newline character in a metadata value causes the ExifTool stdin input to be split into two separate arguments. In this way, an attacker can inject arbitrary ExifTool pseudo-tags, such as -FileName, -Directory, -SymLink or -HardLink. This is a bypass of the incomplete key validation patch introduced in version 8.30.1.

Impact

An unauthorized attacker can rename or move the processed PDF file to any location in the container's file system, overwrite arbitrary files, and create symlinks and hard links under arbitrary paths, which may lead to further integrity violations of the containerized environment.

Mitigation & patch

Gotenberg should be updated to a version containing the patch available in commit 405f1069c026bb08f319fb5a44e5c67c33208318. Details are available in the vendor's references (GitHub Security Advisory GHSA-q7r4-hc83-hf2q).

Who is affected

Gotenberg (Thecodingmachine) in versions 8.30.1 and earlier

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H
  • Thecodingmachine Gotenberg

    APP
    Thecodingmachine
    < 8.31.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth BypassContainer
CWE
References

Related vulnerabilities

CVE-2026-42596CRITICAL9.4PL ✓ten sam produkt

SSRF w Gotenberg — ominięcie deny-list przez IPv6-mapped adresy

CVE-2026-42589CRITICAL9.8PL ✓ten sam produkt

Gotenberg: command injection w endpoincie zapisu metadanych PDF via ExifTool

CVE-2020-13451CRITICAL9.8ten sam produkt

An incomplete-cleanup vulnerability in the Office rendering engine of Gotenberg through 6.2.1 allows an attack...

CVE-2020-13450CRITICAL9.8ten sam produkt

A directory traversal vulnerability in file upload function of Gotenberg through 6.2.1 allows an attacker to u...

CVE-2020-13452CRITICAL9.8ten sam produkt

In Gotenberg through 6.2.1, insecure permissions for tini (writable by user gotenberg) potentially allow an at...