Description
Gotenberg is a Docker-powered stateless API for PDF files. In versions 8.30.1 and earlier, the metadata write endpoint validates metadata keys for control characters but leaves metadata values unsanitized. A newline character in a metadata value splits the ExifTool stdin line into two separate arguments, allowing injection of arbitrary ExifTool pseudo-tags such as -FileName, -Directory, -SymLink, and -HardLink. This is a bypass of the incomplete key-sanitization fix introduced in v8.30.1. An unauthenticated attacker can rename or move any PDF being processed to an arbitrary path in the container filesystem, overwrite arbitrary files, or create symlinks and hard links at arbitrary paths.
Published: 2026-05-06
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Gotenberg’s metadata write endpoint validates keys but does not sanitize values. A newline character in a metadata value causes ExifTool to receive a second argument, allowing an attacker to inject pseudo-tags that can rename, move, overwrite, or link files inside the container. The result is a privilege escalation within the container’s filesystem that can compromise the integrity of all PDFs processed by the service.

Affected Systems

The gotenberg:gotenberg product, all releases up to and including version 8.30.1, is affected. Versions newer than 8.30.1 incorporate the key‑sanitization fix and are not vulnerable.

Risk and Exploitability

With a CVSS score of 10, this flaw is rated critical. No EPSS score is available, and the vulnerability is not listed in CISA KEV, but the lack of authentication and the ability to modify arbitrary files make exploitation highly attractive to attackers. An attacker can craft a malicious PDF that contains a newline in a metadata value, send it to the public API, and immediately place, rename, or overwrite files in the container.

Generated by OpenCVE AI on May 6, 2026 at 22:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gotenberg to a release that includes the metadata value sanitization fix (any v8.30.2 or later).
  • If an upgrade cannot be performed immediately, run the Gotenberg container as a non‑privileged user and mount the working directory as read‑only to limit filesystem modifications.
  • Disable or restrict access to the metadata write endpoint, or apply a custom input filter that removes newline characters from metadata values before they reach ExifTool.

Generated by OpenCVE AI on May 6, 2026 at 22:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q7r4-hc83-hf2q Gotenberg has ExifTool stdin argument injection via metadata value newlines (bypass of key sanitization fix)
History

Thu, 07 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Gotenberg
Gotenberg gotenberg
Vendors & Products Gotenberg
Gotenberg gotenberg

Wed, 06 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description Gotenberg is a Docker-powered stateless API for PDF files. In versions 8.30.1 and earlier, the metadata write endpoint validates metadata keys for control characters but leaves metadata values unsanitized. A newline character in a metadata value splits the ExifTool stdin line into two separate arguments, allowing injection of arbitrary ExifTool pseudo-tags such as -FileName, -Directory, -SymLink, and -HardLink. This is a bypass of the incomplete key-sanitization fix introduced in v8.30.1. An unauthenticated attacker can rename or move any PDF being processed to an arbitrary path in the container filesystem, overwrite arbitrary files, or create symlinks and hard links at arbitrary paths.
Title Gotenberg vulnerable to argument injection via newlines in ExifTool metadata values
Weaknesses CWE-88
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H'}

Subscriptions

Gotenberg Gotenberg
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T12:33:44.118Z

Reserved: 2026-04-10T20:22:44.034Z

Link: CVE-2026-40281

cve-icon Vulnrichment

Updated: 2026-05-07T12:32:59.186Z

cve-icon NVD

Status : Received

Published: 2026-05-06T21:16:01.353

Modified: 2026-05-07T13:16:10.917

Link: CVE-2026-40281

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T23:00:15Z

Weaknesses