CVEFinder.io

CVE-2026-42590

⚠️ high
🔍 Scan for this CVE
Summary

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.30.0, The ExifTool metadata write blocklist in Gotenberg can be bypassed using ExifTool's group-prefix syntax, enabling arbitrary file rename, move, hardlink, and symlink creation on the server. ExifTool supports group-prefix syntax where File:FileName is processed identically to FileName -- the prefix is stripped by SetNewValue in Writer.pl before tag matching. The safeKeyPattern regex (^[a-zA-Z0-9\-_.:]+$) allows colons, so

Description

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.30.0, The ExifTool metadata write blocklist in Gotenberg can be bypassed using ExifTool's group-prefix syntax, enabling arbitrary file rename, move, hardlink, and symlink creation on the server. ExifTool supports group-prefix syntax where File:FileName is processed identically to FileName -- the prefix is stripped by SetNewValue in Writer.pl before tag matching. The safeKeyPattern regex (^[a-zA-Z0-9\-_.:]+$) allows colons, so prefixed tag names pass validation. Any prefix works: File:FileName, System:Directory, a:HardLink, etc. Additionally, FilePermissions, FileUserID, and FileGroupID pseudo-tags are not blocked at all and can modify file attributes without any prefix. This vulnerability is fixed in 8.30.0.

CVSS Score
8.2
High
EPSS Score
0.1
Exploit Probability
Published Date
2026-05-14
First Seen: 2026-05-17
📊 Relative Risk Intelligence

This CVE is High Risk - more severe than 79.6% of all 328,009 vulnerabilities in our database.

#66,785
Top 25% most severe
Severity Percentile
🎯 CISA SSVC Assessment Updated: May 15, 2026
🔍 Exploitation Status
Poc
Proof-of-concept available
⚙️ Automatable
YES
Can be exploited automatically
💥 Technical Impact
Partial
Limited system impact
SSVC data provided by CISA
Last Modified 2026-05-18
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
CWE IDs (Weakness Types)
CWE-184

📦 Affected Products 1

Vendor Product Status Affected Versions
thecodingmachine gotenberg Affected
< 8.30.0

🔗 References 1

https://github.com/gotenberg/gotenberg/security/advi...
Exploit Vendor Advisory

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-40893 ⚠️ high 8.2 0.2 Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg only checks if the tag is exactly ... 2026-05-14
CVE-2026-42589 ⛔ critical 9.8 0.1 Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg's /forms/pdfengines/metadata/write... 2026-05-14
CVE-2026-42591 ⚠️ high 8.2 0.0 Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the LibreOffice conversion endpoint (/forms/... 2026-05-14
CVE-2026-42592 🔶 medium 5.3 0.0 Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, FilterOutboundURL resolves the hostname, che... 2026-05-14
CVE-2026-42593 🔶 medium 5.3 0.1 Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, pdfengines/merge, pdfengines/split, libreoff... 2026-05-14
CVE-2026-42594 ⚠️ high 7.5 0.0 Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the webhook middleware spawns a goroutine th... 2026-05-14
These CVEs affect the same products