CVE-2026-42589 - Vulnerability Details

Description

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg's /forms/pdfengines/metadata/write HTTP endpoint accepts a JSON metadata object and passes its keys directly to ExifTool via the go-exiftool library. No validation is performed on key characters. A \n embedded in a JSON key splits the ExifTool stdin stream into a new argument line, allowing an attacker to inject arbitrary ExifTool flags — including -if, which evaluates Perl expressions. This achieves unauthenticated OS command execution in a single HTTP request. The response is HTTP 200 with a valid PDF, making the attack transparent to basic monitoring. This vulnerability is fixed in 8.31.0.

Published: 2026-05-14

Score: 9.8 Critical

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in Gotenberg allows an attacker to perform remote code execution by exploiting the lack of validation on JSON metadata keys sent to the /forms/pdfengines/metadata/write endpoint. By embedding a newline within a key, the payload is split into a new argument line for ExifTool, enabling malicious flags such as -if that execute arbitrary Perl expressions. This flaw can be triggered in a single HTTP request and results in a normal HTTP 200 response containing a PDF, making detection difficult. The CVSS score for this issue is 9.8 and the associated CWE is 78. The exploit does not require authentication.

Affected Systems

Affected products include the Gotenberg containerized PDF API, with all versions prior to 8.31.0 vulnerable. The issue is specific to the /forms/pdfengines/metadata/write endpoint used by the go-exiftool library.

Risk and Exploitability

Given its high severity CVSS score and lack of existing mitigations, this flaw poses a critical risk to unprotected instances. The EPSS score is not available, but being unauthenticated, the attack can be attempted by anyone with network access. The vulnerability is not currently listed in the CISA KEV catalog, but its exploitation would likely generate false‑positive monitoring traffic due to the benign 200 response.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

gotenberg

affected

Version	Status	Constraints
`< 8.31.0`	affected	—

No data.

Vendor Product Confidence Versions

Gotenberg

100%

Version	Status	Scheme	Platform
`[0,8.31.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Gotenberg to version 8.31.0 or later, where the bug is fixed.
Restrict or disable the /forms/pdfengines/metadata/write endpoint for unauthenticated traffic until the patch is applied.
Implement or enforce sanitization of metadata keys to strip newline characters or limit allowed characters before processing by ExifTool.

Generated by OpenCVE AI on May 14, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-rqgh-gxv4-6657	Gotenberg has Unauthenticated RCE via ExifTool Metadata Key Injection

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/gotenberg/gotenberg/security/advisories/GHSA-rqgh-gxv4-6657

History

Thu, 14 May 2026 17:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Gotenberg Gotenberg gotenberg
Vendors & Products		Gotenberg Gotenberg gotenberg

Thu, 14 May 2026 16:15:00 +0000

Type	Values Removed	Values Added
Description		Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg's /forms/pdfengines/metadata/write HTTP endpoint accepts a JSON metadata object and passes its keys directly to ExifTool via the go-exiftool library. No validation is performed on key characters. A \n embedded in a JSON key splits the ExifTool stdin stream into a new argument line, allowing an attacker to inject arbitrary ExifTool flags — including -if, which evaluates Perl expressions. This achieves unauthenticated OS command execution in a single HTTP request. The response is HTTP 200 with a valid PDF, making the attack transparent to basic monitoring. This vulnerability is fixed in 8.31.0.
Title		Gotenberg: Unauthenticated RCE via ExifTool Metadata Key Injection
Weaknesses		CWE-78
References		https://github.com/gotenberg/gotenberg/security/advisories/GHSA-rqgh-gxv4-6657
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Gotenberg Gotenberg

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-14T15:11:30.619Z

Updated: 2026-05-14T18:59:21.125Z

Reserved: 2026-04-29T00:31:15.724Z

Link: CVE-2026-42589

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-14T16:16:21.867

Modified: 2026-05-14T16:28:04.847

Link: CVE-2026-42589

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-14T17:30:15Z

Weaknesses

CWE-78

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object