CVE-2026-40893 - Vulnerability Details

- Gotenberg: ExifTool Dangerous Tag Blocklist Bypass via Group-Prefixed Tag Names Allows Arbitrary File Rename and Move

Description

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg only checks if the tag is exactly FileName, so System:FileName slips right through and ExifTool happily renames the file. This allows remote attackers to move, rename, and change permissions for arbitrary files. This vulnerability is fixed in 8.31.0.

Published: 2026-05-14

Score: 8.2 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Gotenberg is a Docker-powered stateless API for PDF generation. Prior to version 8.31.0 it validates ExifTool XML tags only against an exact match of the tag name "FileName". A crafted tag such as "System:FileName" bypasses this check, allowing ExifTool to treat the supplied value as a filename. The resulting file operation can rename, move, or change permissions of arbitrary files on the host. This gives a remote attacker the ability to manipulate files that may be critical to the host or other containers, potentially facilitating further compromise or data exfiltration. The weakness is a directory traversal and input validation flaw (CWE‑73 and CWE‑184).

Affected Systems

This vulnerability affects all Gotenberg Docker containers running forks of Gotenberg prior to 8.31.0. Any deployment that exposes the public API without internal network isolation or hardened file system mounts is at risk.

Risk and Exploitability

The CVSS score of 8.2 marks this as high severity. No EPSS score is reported, and it is not listed in the CISA KEV catalog. Exploitation requires only remote API access to the Gotenberg service, making the threat vector likely remote. An attacker can send a crafted ExifTool tag via the API to trigger the rename/move operation. Because this flaw permits arbitrary file manipulation, the potential for further privilege escalation or persistence exists if the attacker can then use the modified files.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

gotenberg

affected

Version	Status	Constraints
`< 8.31.0`	affected	—

No data.

Vendor Product Confidence Versions

Gotenberg

100%

Version	Status	Scheme	Platform
`[0,8.31.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to Gotenberg version 8.31.0 or later to apply the ExifTool tag validation fix.
Configure the Gotenberg API endpoint to accept requests only from trusted IP ranges or authenticated users, reducing the attack surface exposed to public networks.
Run the Gotenberg container with a read‑only file system and the least privilege principle, ensuring the ExifTool process can only modify files in its dedicated workspace and cannot affect arbitrary host files.

Generated by OpenCVE AI on May 14, 2026 at 18:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-62p3-hvxx-fxg4	Gotenberg has an ExifTool Dangerous Tag Blocklist Bypass via Group-Prefixed Tag Names that Allows Arbitrary File Rename and Move

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/gotenberg/gotenberg/security/advisories/GHSA-62p3-hvxx-fxg4

History

Thu, 14 May 2026 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 14 May 2026 17:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Gotenberg Gotenberg gotenberg
Vendors & Products		Gotenberg Gotenberg gotenberg

Thu, 14 May 2026 16:15:00 +0000

Type	Values Removed	Values Added
Description		Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg only checks if the tag is exactly FileName, so System:FileName slips right through and ExifTool happily renames the file. This allows remote attackers to move, rename, and change permissions for arbitrary files. This vulnerability is fixed in 8.31.0.
Title		Gotenberg: ExifTool Dangerous Tag Blocklist Bypass via Group-Prefixed Tag Names Allows Arbitrary File Rename and Move
Weaknesses		CWE-184 CWE-73
References		https://github.com/gotenberg/gotenberg/security/advisories/GHSA-62p3-hvxx-fxg4
Metrics		cvssV3_1 `{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L'}`

Subscriptions

Gotenberg Gotenberg

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-14T15:18:27.758Z

Updated: 2026-05-14T18:08:26.208Z

Reserved: 2026-04-15T16:37:22.766Z

Link: CVE-2026-40893

Vulnrichment

Updated: 2026-05-14T18:08:18.299Z

NVD

Status : Undergoing Analysis

Published: 2026-05-14T16:16:20.323

Modified: 2026-05-14T18:16:45.910

Link: CVE-2026-40893

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-14T18:45:26Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact Low

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object